tag:blogger.com,1999:blog-7464984623123416052024-03-27T16:54:57.199-07:00VirusTotal Release NotesEmiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-746498462312341605.post-4358981758637758242023-10-30T06:39:00.003-07:002023-11-08T08:02:51.361-08:00October 30th, 2023 - Holistic searching, VirusTotal connectors, GenAI chat bot, file similarity summaries and more<h3 style="text-align: left;">What’s new?</h3><ul style="text-align: left;"><li id="holistic_search"><b>Holistic search across IoCs and adversary intelligence knowledge cards.</b> VirusTotal’s <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">Threat Landscape</a> module incorporates {attribution, threat actor, campaign, toolkit} knowledge cards into our top VirusTotal packages. As of now, whenever you perform free text searches in VirusTotal (<i>e.g. “Emotet”, “Sofacy”, “cve-2017-11882”, “leaked builders”, etc.</i>), the search will be executed not only against the IoC corpus (e.g. antivirus labels for files) but against the full VirusTotal knowledge base including actor/collection knowledge cards, online references and reporting, rules, graph investigations and community comments. The adversary intelligence content appears as a side block on search results listings, clicking on any of its items takes you to the pertinent knowledge card. Note that this functionality is only available to users with access to the Threat Landscape module.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSQTSEkdbJdd4kFMhKJFIqceKlElCXm4i-6Bb8mScOYMhQYq6AgRfxd0C1_I9OkYA4HlQjWGQ0R5GCUAzA_GjEbJmEm8fSfWfmdn-eyO78WBnWkifmtkH1V4gTC0pv6wyTrgH9eNz03_56tbZycDXu5cTpoXG_HJZzOE4KfOnRhFTBWYqSpXxo1jsYyVY/s1414/Screenshot%202023-11-07%20at%2014.44.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="859" data-original-width="1414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSQTSEkdbJdd4kFMhKJFIqceKlElCXm4i-6Bb8mScOYMhQYq6AgRfxd0C1_I9OkYA4HlQjWGQ0R5GCUAzA_GjEbJmEm8fSfWfmdn-eyO78WBnWkifmtkH1V4gTC0pv6wyTrgH9eNz03_56tbZycDXu5cTpoXG_HJZzOE4KfOnRhFTBWYqSpXxo1jsYyVY/s16000/Screenshot%202023-11-07%20at%2014.44.51.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="mitre"><b>MITRE ATT&CK TTPs in threat {collection, actor} knowledge cards and open in MITRE ATT&CK Navigator.</b> VirusTotal does not only aggregate detection engines but also dynamic analysis sandboxes. Mandiant CAPA and some of the sandboxes that we aggregate map out execution observations into MITRE ATT&CK tactics and techniques and <a href="https://github.com/MBCProject/mbc-markdown">Malware Behavior Catalog</a> behaviors - <a href="https://www.virustotal.com/gui/file/10e881fd9f7ebfe20fcd580f5fc0bb9617cd62d01d347fdcb32c63dbe0f3dac0/behavior">see example report</a>. When building <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">threat {collection, actor} cards</a>, VirusTotal aggregates all the mapped TTPs for all the IoCs linked to a given campaign/toolkit/actor and displays them in the <a href="https://www.virustotal.com/gui/threat-actor/b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d/ttps">TTP tab of the pertinent knowledge card</a>. We’ve now included shortcuts to open these TTP mappings in <a href="https://mitre-attack.github.io/attack-navigator/">MITRE ATT&CK Navigator</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJh0_Zs8E5hd_IEeBkMkjfVN1ULi685j4yM9GDyTrfcFQIuFnsgpc9EWQvuMcRSCPrS692oP-4_cNSmPZOJ_kEEED8mXqJYUlnmlgOlP4J4O3YG1GjJaYkmkXk8ibEf1QKjpvQ9fRrzbsJlwaIRU1Q8TAIyASNUf2yKIi4xr7l14Zdv754Ek3vjTH2gv4/s690/Screenshot%202023-11-07%20at%2014.46.21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="319" data-original-width="690" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJh0_Zs8E5hd_IEeBkMkjfVN1ULi685j4yM9GDyTrfcFQIuFnsgpc9EWQvuMcRSCPrS692oP-4_cNSmPZOJ_kEEED8mXqJYUlnmlgOlP4J4O3YG1GjJaYkmkXk8ibEf1QKjpvQ9fRrzbsJlwaIRU1Q8TAIyASNUf2yKIi4xr7l14Zdv754Ek3vjTH2gv4/s16000/Screenshot%202023-11-07%20at%2014.46.21.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="new_relations"><b>New and enhanced relations in VirusTotal’s underlying threat graph.</b> VirusTotal provides superior context about IoCs. Some of that context is based on relationships with other IoCs and adversary entities, for example: contacted domains, download URLs, resolved IP addresses, compressed bundle parents, execution first stages, etc. We’ve enhanced VirusTotal’s core threat graph as follows:</li><ul><ul><li><u>Added redirects to relationship.</u> VirusTotal has been displaying target redirection URLs in the Details tab of URL reports for some time now, but this data point has never been added as a full-blown relationship displayed in the Relations tab and explorable via VT Graph. We have now rolled out the “redirects to” relationship.</li><li><u>Enhanced embedded URLs relationship with memory pattern URLs. </u>VirusTotal extracts URL patterns from the raw binary body of files and <a href="https://www.virustotal.com/gui/file/91e359e98df513ef6ce1fad21ddb8cea02eee0339c77a6dcf7d2e2ea451b4bd1/relations">builds the embedded URLs relationship with them</a>. This data point is very interesting but also very easy to evade via obfuscation, packing and some other common anti-analysis techniques. To overcome this, as we execute uploaded files in multiple sandboxes, we are now extracting URL patterns from memory and also feeding the embedded URLs relationship with them.</li></ul></ul></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwF9QVBIhz3QCIQdl3N6cqqfO2M5fjDSxBjRShr5r_H06TgxZa7hzBlDMm0aZkdmK1oDOzyshsRjfG-Ml7X7NzZOhtRm8-prIn-qQhlifgVKBFWoMKyKDT1nkQaE3cCfiu_11lEs2bt2WOMsvR5Cp5WE4YHTusxvx9gfKionwMrWrnfUnUS2pbmGi9Np0/s695/Screenshot%202023-11-07%20at%2013.10.59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="128" data-original-width="695" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwF9QVBIhz3QCIQdl3N6cqqfO2M5fjDSxBjRShr5r_H06TgxZa7hzBlDMm0aZkdmK1oDOzyshsRjfG-Ml7X7NzZOhtRm8-prIn-qQhlifgVKBFWoMKyKDT1nkQaE3cCfiu_11lEs2bt2WOMsvR5Cp5WE4YHTusxvx9gfKionwMrWrnfUnUS2pbmGi9Np0/s16000/Screenshot%202023-11-07%20at%2013.10.59.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="connectors"><b>VirusTotal Connectors.</b> We’ve taken a significant step toward realizing the unified threat contextualization platform with VirusTotal Connectors. All your threat intel from third parties can now be seamlessly merged with VirusTotal's context. When faced with an unfamiliar file, hash, domain, IP address, or URL, having a singular view of threat intelligence not only expedites investigations but also helps eliminate detection blind spots. <a href="https://blog.virustotal.com/2023/10/unifying-threat-context-with-virustotal.html">Learn more</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjDZzD8Zh5m2TgBRZKVwFtfO3598qLhWmlfdCiJluifaBmyGZpMI6Dh-I8fpmfBkuilUb8f2FpuqxSVJDuiHPSUsenfY2p7hka7NAPMoDrgaSpJfRfXJtWL2X5KdVX_e2BClJqjjIoXakMMtWJkzkRecgXTBYEox003aN3FiTIJPqV2SQlsjrw-A5m4fQ/s1160/Screenshot%202023-11-07%20at%2014.49.06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="449" data-original-width="1160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjDZzD8Zh5m2TgBRZKVwFtfO3598qLhWmlfdCiJluifaBmyGZpMI6Dh-I8fpmfBkuilUb8f2FpuqxSVJDuiHPSUsenfY2p7hka7NAPMoDrgaSpJfRfXJtWL2X5KdVX_e2BClJqjjIoXakMMtWJkzkRecgXTBYEox003aN3FiTIJPqV2SQlsjrw-A5m4fQ/s16000/Screenshot%202023-11-07%20at%2014.49.06.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="similarity_summary"><b>File similarity summary view. </b>The concept of similarity is pretty straightforward: are two files similar? There are many ways to figure it out. That's why different similarity algorithms exist. Now, why is this useful? Attackers need tools for their attacks, basically malware. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. The result is that two different malware files built from the same developer using the same pieces or builders will look alike. Tracking similar files often allows you to track actors or campaigns and study them proactively to build effective measures against such threats. VirusTotal has supported a number of file similarity searches for a while now (<i>vhash, behash, imphash, ssdeep, TLSH, icon dhash, etc.</i>). Earlier this year we rolled out some functionality to search across all different similarity approaches available for a file, the “Best candidates in a single search” trigger. Similarity search result listings now display a “Similarity details” toggle to better understand the common data points across matching files.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTu7hYuMMIdiXvWeUiDMbhiSnetg3rINZobItRmXb6tCjmlc54QyQXVGvm2x9fNZDvDZkQTUtjM0TiKbDz4KkaSSLYBDGajBL5-YuytxnoS5rfRlrNwPIGoEwfA1l9WCGwwyw-FaNqGCIQfJWKZjIYzLQp1PPW0fWTHLfd4pRo9QpB3QnvAMhbvay6q2A/s1476/Screenshot%202023-11-07%20at%2014.50.42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="1476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTu7hYuMMIdiXvWeUiDMbhiSnetg3rINZobItRmXb6tCjmlc54QyQXVGvm2x9fNZDvDZkQTUtjM0TiKbDz4KkaSSLYBDGajBL5-YuytxnoS5rfRlrNwPIGoEwfA1l9WCGwwyw-FaNqGCIQfJWKZjIYzLQp1PPW0fWTHLfd4pRo9QpB3QnvAMhbvay6q2A/s16000/Screenshot%202023-11-07%20at%2014.50.42.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="vt_bot"><b>Documentation chat assistant, a.k.a. VirusTotal bot. </b>At VirusTotal we are committed to democratizing detection engineering and threat hunting. We acknowledge that VirusTotal Enterprise is a sophisticated tool and that not all organizations exhibit the same maturity when it comes to threat intelligence. We are now leveraging generative AI to accelerate our users’ maturity journey. Every single site within VirusTotal displays a small round floating message bubble in the bottom right hand corner. When clicking on it a chat dialog opens up. You can now ask questions (<i>e.g. Can I match file metadata using YARA rules?</i>) related to our documentation and it will summarize docs articles and point you in the right direction.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoB-qGlPXWfO0kHg89IxOOzK-v9rtVv6mTeBTzX0HoPCCllw4gnF9eruENm524DrNHI6CaYMxYWgHzdwGqHTnQEY0-oSH5LzM_ljshD877K25fZiUj25uYNLjbLyIgvGtMMNhFDLhxZlNriOmwhm5gMfAZ9b4Z6TUvtRUsmgCLan2zvI_QWkTWAGWPpXQ/s677/Screenshot%202023-11-07%20at%2014.51.44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="677" data-original-width="556" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoB-qGlPXWfO0kHg89IxOOzK-v9rtVv6mTeBTzX0HoPCCllw4gnF9eruENm524DrNHI6CaYMxYWgHzdwGqHTnQEY0-oSH5LzM_ljshD877K25fZiUj25uYNLjbLyIgvGtMMNhFDLhxZlNriOmwhm5gMfAZ9b4Z6TUvtRUsmgCLan2zvI_QWkTWAGWPpXQ/s16000/Screenshot%202023-11-07%20at%2014.51.44.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="service_accounts_api"><b>Service accounts API documentation. </b>Late last year we <a href="https://blog.virustotal.com/2022/11/service-accounts-are-here-to-help.html">rolled out service accounts</a> in order to interact programmatically with VirusTotal leveraging API keys that are not tied to individual users. We have now <a href="https://developers.virustotal.com/reference/create-a-new-service-account">documented</a> API endpoints related to VirusTotal API service accounts.</li></ul><h3 style="text-align: left;">What has changed?</h3><div><ul style="text-align: left;"><li id="skyhigh"><b>McAfee-Gateway renamed to Skyhigh.</b> Following McAfee Enterprise’s service renaming, the detection engine formerly known as McAfee-Gateway in VirusTotal has been renamed to “Skyhigh”. </li></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-83680523017701592292023-10-02T05:48:00.001-07:002023-11-08T13:58:55.646-08:00October 2nd, 2023 - Strings searching, VMRAY screenshots and Private Scanning deletions<h3 style="text-align: left;">What's new?</h3><ul style="text-align: left;"><li id="content_search"><b>File/URL response content strings searching.</b> Other than a Threat Intelligence suite allowing its users to research world-wide emerging threat patterns, <a href="http://virustotal.com/gui/services-overview">VT ENTERPRISE</a> is also an automated malware analysis solution performing {reputational, static, dynamic, code, similarity} analysis of suspicious files. One of the static analysis components that runs on files is strings extraction, it runs on absolutely all uploaded files and VT ENTERPRISE users can both download files and see/download the strings for files uploaded by themselves or any other VirusTotal Community user. Moreover, strings extraction also acts on the content returned when checking URLs. We recently included functionality to download strings dumps for offline scrutiny, we are now extending strings-related capabilities with online search. Users can now search across file/URL response content strings within their browsers.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUqe-e28hUwDg0RGOK4x7LsCXTn7DRnNh67wD19j3DOjVBbFcubCiVtnoZmmUKQ7-wvliJN4A0bkQ-YYC0dE46hzI34yxcKOO1i4uE9B3jsWVt6YakaZNEiKpv9dBt3ytxY7xfGrZe6qewQVwnm1yooN7_xsbJVzmi2aXrkwZFYcx0ENQI3NyqyY7xaA/s1102/Screenshot%202023-10-02%20at%2012.04.55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="1102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUqe-e28hUwDg0RGOK4x7LsCXTn7DRnNh67wD19j3DOjVBbFcubCiVtnoZmmUKQ7-wvliJN4A0bkQ-YYC0dE46hzI34yxcKOO1i4uE9B3jsWVt6YakaZNEiKpv9dBt3ytxY7xfGrZe6qewQVwnm1yooN7_xsbJVzmi2aXrkwZFYcx0ENQI3NyqyY7xaA/s16000/Screenshot%202023-10-02%20at%2012.04.55.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><ul style="text-align: left;"><li id="vmray"><b>VMRAY screenshots.</b> VirusTotal not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. Every executable (and other file formats) uploaded to VirusTotal gets detonated in both VirusTotal-developed and 3rd-party partner dynamic analysis environments to produce behavioral information such as domains contacted, payload download URLs, files created, registry keys set, etc. One of the 3rd-party sandbox vendor participating in this community effort is<a href="https://www.vmray.com/"> VMRay</a>. VMRay has extended the data shared with VirusTotal to include screenshots produced during detonation, <a href="https://www.virustotal.com/gui/file/0951a4a0aa2cfa91d5477895e6302d68fcddd490691787e63261e7bf9982e5cd/behavior">see example</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRKWiryKezV58wc3a7LOalBBiDuFp05A1kqcn9OheuLOup58awX6YRBh3t22p8TfLqq82V81G7KhDgK59ZFVicCtGoOXO4e5_XKgz98QLbsUmRYhZqi77ASqPrClI-HhUDPgaMzlgriNOY4Ksm-Cz_AgZyJ0W2mwJNG1FxXhk1DGXbj6t9uOdM1LXgXw/s1242/Screenshot%202023-10-02%20at%2014.46.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="608" data-original-width="1242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRKWiryKezV58wc3a7LOalBBiDuFp05A1kqcn9OheuLOup58awX6YRBh3t22p8TfLqq82V81G7KhDgK59ZFVicCtGoOXO4e5_XKgz98QLbsUmRYhZqi77ASqPrClI-HhUDPgaMzlgriNOY4Ksm-Cz_AgZyJ0W2mwJNG1FxXhk1DGXbj6t9uOdM1LXgXw/s16000/Screenshot%202023-10-02%20at%2014.46.03.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="delete_private"><b>Delete private files and analyses, via API or UI.</b> <a href="https://assets.virustotal.com/vt-brief-private-scanning.pdf">VirusTotal Private Scanning</a> allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. Private scans have a default 24h TTL both for uploaded files and their corresponding reports. Users also have the option to extend this TTL. We’ve now added additional <a href="https://developers.virustotal.com/reference/get-a-private-file-report-copy">API</a> and UI actions allowing users to delete both files and their corresponding reports before the TTL is met.</li></ul> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeNc3pDG1fkyuAO6am39qMZ8OrIOzLbnapBe6CSYT6SmxXFn7nmhBviOf02h9njegrF1WT3KppIYDRat9s8fI69v4VgQTJ93Epcpt3vtG0w0tvESZE_YkOvDY2aLuVOYYaQK_FOG88bhZ2B8ID6Ecyzm9JQMIJB2IsQzQG4DUosM2acLvqV7Ju30JSgE/s486/Screenshot%202023-10-02%20at%2014.39.11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="228" data-original-width="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeNc3pDG1fkyuAO6am39qMZ8OrIOzLbnapBe6CSYT6SmxXFn7nmhBviOf02h9njegrF1WT3KppIYDRat9s8fI69v4VgQTJ93Epcpt3vtG0w0tvESZE_YkOvDY2aLuVOYYaQK_FOG88bhZ2B8ID6Ecyzm9JQMIJB2IsQzQG4DUosM2acLvqV7Ju30JSgE/s16000/Screenshot%202023-10-02%20at%2014.39.11.png" /></a></div><br />Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-46286909967313115852023-09-25T02:44:00.000-07:002023-09-25T02:44:40.361-07:00September 24th, 2023 - Technology integrations hub and assisted YARA rules with the IoC structure explorer<h3 style="text-align: left;">What's new?</h3><ul style="text-align: left;"><li id="integrations_hub"><b style="font-weight: bold;">VirusTotal to third-party technology integrations explorer.</b> VirusTotal is the richest and most actionable crowdsourced threat intelligence suite. More than 3.6M users a month and tens of thousands of organizations world-wide rely on its threat reputation and context to be safer. Its popularity is such that most 3rd-party security technologies have built off-the-shelf turnkey integrations with our API, powering use cases such as automatic alert triage, event enrichment, false positive discarding, 2nd opinion detection and other threat detections and response flows. We recently started to document some of those home-grown and community/vendor-developed <a href="https://developers.virustotal.com/reference/technology-integrations">third-party integrations in our API reference</a>. In order to make those integrations even more discoverable, we have <a href="https://www.virustotal.com/gui/technology-integrations/vt-to-third-party">rolled out an integrations explorer</a>, including search, technology categories and more. It is by no means exhaustive, if you are missing an integration, please <a href="https://docs.google.com/forms/d/e/1FAIpQLSew8Y-8XLCedxj2wZ4K8vMW7vy3KLffHPf-bnRbaQP2UVL15g/viewform?resourcekey=0-gN7OQ8hBiK-AikRD8ogOfw">let us know</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm5i6imejlBE8yYXpfe5F5etxQMH13fbpx_QlWxRAkv-IBiM5pubuUhvlX9r_vgtT1p4KoBUNR1e_1pmjnRcKjcPH2RHOp18JpqGFGV_-19m8P5Fjhkv4MUEwJlqrm3pCQIbFVvSzR9geNHs4mP-EfdNE5HGX6Khl6DHBcdBI0d7NN3wzL8nLrWYoNOQI/s2312/Screenshot%202023-09-24%20at%2022.54.04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1332" data-original-width="2312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm5i6imejlBE8yYXpfe5F5etxQMH13fbpx_QlWxRAkv-IBiM5pubuUhvlX9r_vgtT1p4KoBUNR1e_1pmjnRcKjcPH2RHOp18JpqGFGV_-19m8P5Fjhkv4MUEwJlqrm3pCQIbFVvSzR9geNHs4mP-EfdNE5HGX6Khl6DHBcdBI0d7NN3wzL8nLrWYoNOQI/s16000/Screenshot%202023-09-24%20at%2022.54.04.png" /></a></div><b><div><b><br /></b></div></b><ul style="text-align: left;"><li id="structure_explorer"><b>One-click assistant to build VT HUNTING YARA rules matching IoC analysis and metadata properties.</b> <a href="https://www.virustotal.com/gui/hunting-overview">VT Hunting</a> <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunt</a> allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. What’s differentiated about YARA in VirusTotal is that you can (1) match any kind of IoC, not only files; and (2) that you can match VirusTotal technical analysis properties and metadata as opposed to only binary contents. Matching of network indicators and analysis properties & metadata is done through the “vt” YARA module (<a href="https://developers.virustotal.com/docs/nethunt">network indicator matching</a> and <a href="https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt">file analysis matching</a>). Now, discovering all the properties that can be matched is a tedious task involving reading a significant amount of documentation, to ease this task we have now incorporated <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html">a “structure explorer” that allows you to navigate the property tree of any kind of VirusTotal IoC and compose YARA rules by just clicking on the pertinent properties</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnCY5Nh9M1IZEjRbAEQRKBKAzWbcOv5h1uJJ1JknnVFpQmyKoTn72kvxBe-LZHwHklsXrPC3AfgBVATnbRB2us-BsvWVoupfBShN99p_ViogLluwDTUDDs_kK85LwJ7toi24vQai70jzfnHw0cC9KszL2cuxqeAZylWnVm1fxmx_SVNcuPlJDeoV5uZss/s467/pasted%20image%200%20(1).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="440" data-original-width="467" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnCY5Nh9M1IZEjRbAEQRKBKAzWbcOv5h1uJJ1JknnVFpQmyKoTn72kvxBe-LZHwHklsXrPC3AfgBVATnbRB2us-BsvWVoupfBShN99p_ViogLluwDTUDDs_kK85LwJ7toi24vQai70jzfnHw0cC9KszL2cuxqeAZylWnVm1fxmx_SVNcuPlJDeoV5uZss/s16000/pasted%20image%200%20(1).png" /></a></div><br />Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-78583331502456458432023-09-11T02:32:00.002-07:002023-09-14T09:03:53.145-07:00September 11th, 2023 - Follow threat actors and collections via email, personal YARA matches on file reports, on-demand file scanning of downloaded URL content and more<h3 style="text-align: left;">What's new?</h3><ul style="text-align: left;"><li id="yara_matches"><b>Personal YARA rule matches now showing up on file/hash reports following the crowdsourced YARA rule matches style. </b><a href="https://www.virustotal.com/gui/hunting-overview">VT Hunting</a> <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunt</a> allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your <a href="https://blog.virustotal.com/2023/06/actionable-threat-intel-ii-ioc-stream.html">IoC Stream</a>. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports and the pertinent match will be detailed in the “Detection” tab, with pivot controls to jump into other similar files matching the same rule.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPq--Mp1kpk_TgMtaZSEuR0Gkq2GwglbA_50aFBaJnD7gNA2QSFOfuoTnvv_oJlyXHDKIJsq_wwH2zQkSGRnKbnyOxSV166LV_4WYOuNHLuCxrcZEGbNd3iDMAfuEPROeKZKNoaIE2WfzYXBZLXgJdMI7a6aqnrWi_iw_hFlDcGMgSlixx2W95SdQeJsg/s1130/Screenshot%202023-09-11%20at%2010.41.50.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="474" data-original-width="1130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPq--Mp1kpk_TgMtaZSEuR0Gkq2GwglbA_50aFBaJnD7gNA2QSFOfuoTnvv_oJlyXHDKIJsq_wwH2zQkSGRnKbnyOxSV166LV_4WYOuNHLuCxrcZEGbNd3iDMAfuEPROeKZKNoaIE2WfzYXBZLXgJdMI7a6aqnrWi_iw_hFlDcGMgSlixx2W95SdQeJsg/s16000/Screenshot%202023-09-11%20at%2010.41.50.png" /></a></div><br /><ul style="text-align: left;"><li id="scan_downloaded_content"><b>On-demand file scanning of downloaded URL content whenever the corresponding file has not yet been seen by VirusTotal. </b>VirusTotal is world renown for file/hash reputation and context, however, these days the domain/IP/URL technical/tactical intelligence dataset is equally comprehensive, if not more. Indeed, VirusTotal allows you to submit URLs and get them checked against 85+ security vendors/blocklists. The analyzer does not stop at providing verdicts and reputation for URLs. One of the analysis components actually pulls the content hosted at the pertinent URL and, if deemed interesting, it will scan it with the antivirus/EDR/nextgen file scanners, building the corresponding parent-child relationship and producing contextual notions such as in-the-wild download URLs for files in the corpus. What do we mean by interesting content? It would be certain file types such as executables, documents, compressed bundles, etc. Specifically, we will not massively ingest random HTML content so as to prevent noise in our feeds. This said, we are now displaying the content pulled from all URLs - interesting or not - under the “Content” tab of URLs and we are allowing users to trigger manual file scans of such content within the “Details” and “Relations” tabs whenever such content was not automatically scanned by the platform.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3orar5jUIoasGQuGuFf_ho-fCMglyukccj4YOlCp3GbxcF1ZKYp7XkTP0KKPzk38Bm9eBbzNYNvC72K4MmS5VjVZTzsd6ZWDdI8i2lAoTUArzxCyiTX6JyRI-N2qUg9oVsr1KexUFNI2zBeL3ZaCk0DKpjsJI8hiCQ9P4QkCGOYKgiYVnxqEw2pimlQ/s618/Screenshot%202023-09-11%20at%2011.27.35.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="618" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3orar5jUIoasGQuGuFf_ho-fCMglyukccj4YOlCp3GbxcF1ZKYp7XkTP0KKPzk38Bm9eBbzNYNvC72K4MmS5VjVZTzsd6ZWDdI8i2lAoTUArzxCyiTX6JyRI-N2qUg9oVsr1KexUFNI2zBeL3ZaCk0DKpjsJI8hiCQ9P4QkCGOYKgiYVnxqEw2pimlQ/s16000/Screenshot%202023-09-11%20at%2011.27.35.png" /></a></div><br /></div><ul style="text-align: left;"><li id="autoadd_notif"><b>VT Enterprise group user auto-add notifications. </b>VirusTotal has been continually maturing on the enterprise readiness front, following our work on <a href="https://releases.virustotal.com/2022/04/april-11th-2022-saml-authentication.html">SSO/SAML</a> or <a href="https://blog.virustotal.com/2022/11/service-accounts-are-here-to-help.html">service accounts</a>, we continue to improve security and enterprise controls. VirusTotal group administrators can define certain email patterns in their group profile settings so that whenever corporate users sign up to VirusTotal, they get automatically added to their enterprise groups. As of now, administrators can also set up their accounts to automatically notify them via email whenever new users get added to their groups via the email auto-add patterns.</li></ul><div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVNnDRrOE8nOGeSXDlerodB7WMti5K9AknRxiZAm28nlgAbbxevEsEKApSi_I6fYi4KBYD0uI-ClO6EMHiqxs-RG2613mjSFHK3Ln_TFbHQAIg4L4dZv00Jo3YfDISl7xQ964oqYCtPZjHZvy45NLIJt0RG2lKCrMrJZAstcPhCU2mWF8eGa45I6q4XRo/s1301/Screenshot%202023-09-11%20at%2010.59.59.png"><img border="0" data-original-height="406" data-original-width="1301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVNnDRrOE8nOGeSXDlerodB7WMti5K9AknRxiZAm28nlgAbbxevEsEKApSi_I6fYi4KBYD0uI-ClO6EMHiqxs-RG2613mjSFHK3Ln_TFbHQAIg4L4dZv00Jo3YfDISl7xQ964oqYCtPZjHZvy45NLIJt0RG2lKCrMrJZAstcPhCU2mWF8eGa45I6q4XRo/s16000/Screenshot%202023-09-11%20at%2010.59.59.png" /></a></div><br /></div><ul style="text-align: left;"><li id="follow_by_email"><b>Follow threat actors and collections via email. </b>VirusTotal’s <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">Threat Landscape</a> module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages. Users can subscribe or follow specific threat actors / campaigns / toolkits / incidents. When following a given threat entity, users get notified about any new IoC related to it via their personal <a href="https://www.virustotal.com/gui/ioc-notifications/all?order=date-">IoC Stream</a>. It is a vehicle to create tailored dissections of VirusTotal’s live dataset when focusing on relevant threats. As of now, users can also receive those notifications via email.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0L2lWe9GRTQo3a1rb0BBJpOUHQW_b4t8YnmPatn7EsENX2XmibZ3p5AvUiOeFW9CnxZkOAVHjGN8dx2Mng5wBQ1npArMRpO5m1y-FDbZcJE_C6Ighp5j_dkB0kvXHVTj7KbJjnts2P5ajtNNTOM2nCt66RzufP293I8sEtb_YecC_r_9ccDOHqFGivcg/s1135/Screenshot%202023-09-11%20at%2011.30.36.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="353" data-original-width="1135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0L2lWe9GRTQo3a1rb0BBJpOUHQW_b4t8YnmPatn7EsENX2XmibZ3p5AvUiOeFW9CnxZkOAVHjGN8dx2Mng5wBQ1npArMRpO5m1y-FDbZcJE_C6Ighp5j_dkB0kvXHVTj7KbJjnts2P5ajtNNTOM2nCt66RzufP293I8sEtb_YecC_r_9ccDOHqFGivcg/s16000/Screenshot%202023-09-11%20at%2011.30.36.png" /></a></div><br /><div><br /></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-66467642264798756002023-09-04T07:34:00.005-07:002023-09-24T13:20:55.278-07:00September 4th, 2023 - Download strings, malware config extraction in Private Scanning, new search modifiers and more<span id="docs-internal-guid-112bfe45-7fff-f076-c2a8-b68e6df1b841"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><h2 style="text-align: left;"><b>What's new?</b></h2><ul style="text-align: left;"><li id="filestrings"><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><b>Download file content strings.</b> Other than a Threat Intelligence suite allowing its users to research world-wide emerging threat patterns, <a href="http://virustotal.com/gui/services-overview">VT ENTERPRISE</a> is also an automated malware analysis solution performing {reputational, static, dynamic, code, similarity} analysis of suspicious files. One of the static analysis components that run on files is strings extraction, it runs on absolutely all uploaded files and VT ENTERPRISE users can both download files and see the strings for files uploaded by themselves or any other VirusTotal Community user. As of now, users are not only able to see file strings within their browsers, they can also download full strings dumps for offline searching and analysis. Strings downloading is available in the <a href="https://www.virustotal.com/gui/file/a5ec3f315569bea1b870fac6acf8a9d8fd15ffba90b78fc0a4fcca2f245096d4/content">content tab of file reports</a>.</span></li></ul><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZf6cFw3XuzPPYoQw-vnjKPCzvnxA0wNLlwzTy0Ry_yO1HI8rC_sF7H3dXnCn39QZ0Ey1KRgglYN5H8lAkYaqFn7AFjRPFcu90tkDH8wHS5WTxvf4bXndJNLKhhOd67vK1nTfaELw2n_cO_FHaiSQjjaDuiCne408zvYT2RI7N2zL4BcpzPx48Y570mEo/s981/Screenshot%202023-09-04%20at%2014.59.34.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="485" data-original-width="981" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZf6cFw3XuzPPYoQw-vnjKPCzvnxA0wNLlwzTy0Ry_yO1HI8rC_sF7H3dXnCn39QZ0Ey1KRgglYN5H8lAkYaqFn7AFjRPFcu90tkDH8wHS5WTxvf4bXndJNLKhhOd67vK1nTfaELw2n_cO_FHaiSQjjaDuiCne408zvYT2RI7N2zL4BcpzPx48Y570mEo/s16000/Screenshot%202023-09-04%20at%2014.59.34.png" /></a></div><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><ul style="text-align: left;"><li id="config_extraction"><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><b>Malware config extraction in Private Scanning.</b> <a href="https://assets.virustotal.com/vt-brief-private-scanning.pdf">VirusTotal Private Scanning</a> allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended Private Scanning with Mandiant Backscatter.<b> </b>Backscatter understands common malware families and extracts configuration files, <a href="https://www.virustotal.com/gui/file/f5294dffbb3bf3a72daa364811ad6b27f6f9e0cbf1d347bc253ceeb3d40a9655/details">see example</a>. Backscatter will identify malware families, C2s, decoys, dropzones, etc. Note that the entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - <a href="https://www.virustotal.com/gui/search/malware_config%253Aamadey">malware_config:amadey</a>.</span></li></ul><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiInIaBx4zIeAYeVU2IBFgtrkxcP8P949sqDOR-UvFPCj3t1J7ckjpeoPrGujYrBDKn9q14HfCBbqIc2MoWzL2dK-mT9f_XReotwsdB88HXYKrb6i6E_Regg60DzVyuH70CL5zsvjCdobXBe5uBve2s22JRCbw9X5-DnO2veaPAc78rbrrmjCig7FNiEoI/s905/Screenshot%202023-09-04%20at%2016.29.38.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="413" data-original-width="905" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiInIaBx4zIeAYeVU2IBFgtrkxcP8P949sqDOR-UvFPCj3t1J7ckjpeoPrGujYrBDKn9q14HfCBbqIc2MoWzL2dK-mT9f_XReotwsdB88HXYKrb6i6E_Regg60DzVyuH70CL5zsvjCdobXBe5uBve2s22JRCbw9X5-DnO2veaPAc78rbrrmjCig7FNiEoI/s16000/Screenshot%202023-09-04%20at%2016.29.38.png" /></a></div><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><ul style="text-align: left;"><li id="private_scanning_settings"><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><b>Default private scanning settings.</b> <a href="https://assets.virustotal.com/vt-brief-private-scanning.pdf">VirusTotal Private Scanning</a> allows its users to specify custom file/report retention periods (1 day by default) and file storage regions (US vs EU) to comply with applicable regulations. Having to select non-default retention periods and regions on every upload can be a tedious task, VirusTotal group administrators can now provide default values for these selections in the settings tab of their group profile.</span></li></ul><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1v0gi0MmsxnAxxCZFtbCDtH9exo0xKLvDS2rarbM3kgFbPqp7IljfU4Y6mKEAlbDtwYZ5JISi78Rwc2SGYpWI5BvOGAkM7yZJvUkVunlJdVVmLNN3Mmgj-kIaveNf_nXYiegNpODxGEfGtZI8M_JyZgIn8u_gX3YjJKphaD9hkJc5do7_8YnB7fSGPc/s1293/Screenshot%202023-09-04%20at%2015.37.14.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="1293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge1v0gi0MmsxnAxxCZFtbCDtH9exo0xKLvDS2rarbM3kgFbPqp7IljfU4Y6mKEAlbDtwYZ5JISi78Rwc2SGYpWI5BvOGAkM7yZJvUkVunlJdVVmLNN3Mmgj-kIaveNf_nXYiegNpODxGEfGtZI8M_JyZgIn8u_gX3YjJKphaD9hkJc5do7_8YnB7fSGPc/s16000/Screenshot%202023-09-04%20at%2015.37.14.png" /></a></div><p></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"></p><ul style="text-align: left;"><li id="intel_search_mods"><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><b>New search VT Intelligence search modifiers - ssl_not_before and ssl_not_after.</b> <a href="https://www.virustotal.com/gui/intelligence-overview">VT INTELLIGENCE</a> is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers, </span>they allow users to monitor any newly issued HTTPS certificates as part of potential phishing campaigns:</li><ul><ul><li><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><u>ssl_not_before:</u> search according to the validity start date of the last SSL certificate seen for a given domain or IP address. Example: <a href="https://www.virustotal.com/gui/search/entity%253Adomain%2520fuzzy_domain%253Aamazon.com%2520ssl_not_before%253A2023-08-31%252B/domains">entity:domain fuzzy_domain:amazon.com ssl_not_before:2023-08-31+</a>.</span></li><li><span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><u>ssl_not_after:</u> search according to the validity end date of the last SSL certificate seen for a given domain or IP address. Example: <a href="https://www.virustotal.com/gui/search/entity%253Adomain%2520fuzzy_domain%253Aamazon.com%2520ssl_not_after%253A2023-08-31%252B/domains">entity:domain fuzzy_domain:amazon.com ssl_not_after:2023-08-31+</a>.</span></li></ul></ul></ul><p></p></span>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-35754410324207445602023-08-21T06:06:00.001-07:002023-08-24T02:15:01.728-07:00August 21st, 2023 - VT Private Scanning regionalization, subscription invoices directly in your inbox and more<ul style="text-align: left;"><li id="invoiceemails"><b>Subscription invoices directly in your inbox.</b> VirusTotal is continually maturing on the platform maturity front, following our work on <a href="https://releases.virustotal.com/2022/04/april-11th-2022-saml-authentication.html">SSO/SAML</a> and <a href="https://blog.virustotal.com/2022/11/service-accounts-are-here-to-help.html">service accounts</a>, we continue to improve beyond security controls and into other enterprise readiness areas. If you are paying <a href="https://www.virustotal.com/gui/services-overview">VirusTotal Enterprise</a> via credit card, you can now provide a list of email addresses in your VirusTotal Group settings page and the corresponding invoices will be emailed to those accounts in addition to being displayed in the “Invoices” tab of your VirusTotal Group profile. </li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy23K8bwq6DpQu2WDez9tiZh6YslrH8zHoC7_Y5j0xb5bz9RaCQwv2ffKI4pY5PKFdoI3gsgQ7E6KBndSr9n10usbandHiNdrTQ4eiqp6D0YfWhGLWJcL4J3I_XZZrMV98vaVsUyXYRc3xMuwCugNvagofgk1jNoDRCTOZ7mE5myP6rJYptIBfGjZkOmw/s966/Screenshot%202023-08-21%20at%2014.15.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="966" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy23K8bwq6DpQu2WDez9tiZh6YslrH8zHoC7_Y5j0xb5bz9RaCQwv2ffKI4pY5PKFdoI3gsgQ7E6KBndSr9n10usbandHiNdrTQ4eiqp6D0YfWhGLWJcL4J3I_XZZrMV98vaVsUyXYRc3xMuwCugNvagofgk1jNoDRCTOZ7mE5myP6rJYptIBfGjZkOmw/s16000/Screenshot%202023-08-21%20at%2014.15.19.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><ul style="text-align: left;"><li id="yaratags"><b>Personal YARA rule matches now showing up on file reports as tags.</b> <a href="https://www.virustotal.com/gui/hunting-overview">VT Hunting</a> <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunt</a> allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Up until now, Livehunt YARA rule matches were only displayed in your <a href="https://blog.virustotal.com/2023/06/actionable-threat-intel-ii-ioc-stream.html">IoC Stream</a>. As of now, whenever you randomly search in VirusTotal or perform IoC lookups outside of VT Hunting, if the pertinent IoC happens to match one of your YARA rules, it will be called out as a red tag on IoC reports.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFV1y2ad8f5xENT8GCxeBGRZ4eWoxy2bD9a7aEh_desW8P-8TX7yXYOb_j79OAeuM0tj8rehqpO40JRamVKIDpexQWifonWt0jwFSFczNGmWzZAEnH-BuT1FKTFDRpWiKAsiIItHNibHtjUhBd5tmMrv30wdBvBRkT7Rth9c2KJvFkb7E95a8aV9eAgcY/s690/Screenshot%202023-08-21%20at%2014.26.22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="289" data-original-width="690" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFV1y2ad8f5xENT8GCxeBGRZ4eWoxy2bD9a7aEh_desW8P-8TX7yXYOb_j79OAeuM0tj8rehqpO40JRamVKIDpexQWifonWt0jwFSFczNGmWzZAEnH-BuT1FKTFDRpWiKAsiIItHNibHtjUhBd5tmMrv30wdBvBRkT7Rth9c2KJvFkb7E95a8aV9eAgcY/s16000/Screenshot%202023-08-21%20at%2014.26.22.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><ul style="text-align: left;"><li id="pscanregionalization"><b>File storage regionalization for VT Private Scanning.</b> <a href="https://assets.virustotal.com/vt-brief-private-scanning.pdf">VirusTotal Private Scanning</a> allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended VT Private Scanning to support file storage regionalization, users can now choose between the US and the EU. </li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbZB3ip5uaJPMeQcB26j4eIUJc6WvhmjIgfceP4BsvDzDRDkF0m9HGgKWHIVjNbt2GIV4rwTlscBmAaFypqhsSyp5jjIrOCqX3ET4QYu33cik6xPyrxukYfwa1fCoVZN9VEdmZwX1w2Fk7QEqcMM-IaP03yiYpvN1fwLfEj013st9ivFBLVwuGOTPMfso/s1034/Screenshot%202023-08-21%20at%2014.28.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="1034" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbZB3ip5uaJPMeQcB26j4eIUJc6WvhmjIgfceP4BsvDzDRDkF0m9HGgKWHIVjNbt2GIV4rwTlscBmAaFypqhsSyp5jjIrOCqX3ET4QYu33cik6xPyrxukYfwa1fCoVZN9VEdmZwX1w2Fk7QEqcMM-IaP03yiYpvN1fwLfEj013st9ivFBLVwuGOTPMfso/s16000/Screenshot%202023-08-21%20at%2014.28.14.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><ul style="text-align: left;"><li id="pscanundetected"><b>VT Private Scanning “Inconclusive” verdict has been renamed to “Undetected”.</b> <a href="https://assets.virustotal.com/vt-brief-private-scanning.pdf">VT Private Scanning</a> does not leverage the multi-antivirus setup, but does emit opinionated verdicts about the maliciousness of files based on a multi-layered approach including sandbox detonation observations, YARA rule matches, static analysis and other advanced analysis components. We have renamed the “Inconclusive” verdict to “Undetected” as it was generating some confusion. This verdict indicates that there are no clear signs of maliciousness.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdcvNi_w0q85gaICw5cXel_ilpZRAvblalAFAiTFz8q-JLouN9IrvWIVn2GIrhVjPk6XbCv7uIBPCivJNkbauyWdEjtgAjnaUY8Bv-D-ITQLFzHiNKHLnPKw1diO349j9qvY3JCWqgiWbbHXVOdZoS3JUosJHDWQ-gXh1yIX42qVb0aAAORbKStfSY-8Y/s513/Screenshot%202023-08-21%20at%2014.59.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="513" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdcvNi_w0q85gaICw5cXel_ilpZRAvblalAFAiTFz8q-JLouN9IrvWIVn2GIrhVjPk6XbCv7uIBPCivJNkbauyWdEjtgAjnaUY8Bv-D-ITQLFzHiNKHLnPKw1diO349j9qvY3JCWqgiWbbHXVOdZoS3JUosJHDWQ-gXh1yIX42qVb0aAAORbKStfSY-8Y/s16000/Screenshot%202023-08-21%20at%2014.59.00.png" /></a></div><br /><div><br /></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-71591280900528994142023-08-07T02:19:00.008-07:002023-08-24T02:13:12.424-07:00August 7th, 2023 - Livehunt one-click wizards on IoC reports, Crowdsourced AI + NICS Lab and enterprise readiness++<h3 style="text-align: left;">What's new?</h3><ul style="text-align: left;"><li id="oneclickwizards"><b style="font-weight: bold;">VT HUNTING Livehunt for network indicators, one-click wizards. </b>Last week we announced the <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html">rollout of VT Hunting Livehunt for network indicators</a>, which extends Livehunt’s matching capabilities to cover <a href="https://developers.virustotal.com/docs/nethunt">domains, IP addresses and URLs</a>. This allows analysts to discover new artifacts and infrastructure tied to a known campaign, unearth new infrastructure being leveraged by popular malware toolkits, perform attack surface management, identify phishing campaigns against their organizations, etc. <a href="https://blog.virustotal.com/2023/08/actionable-threat-intel-v-autogenerated.html">We’ve published a second post focusing on one-click “IoC follow” actions</a> that automatically create Livehunt rules to receive timely updates about new activity related to IoCs that you may be investigating.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaaIYfBbOwzOJhu32BSTbjEOP_J8MgbLhyP87tAyRw4wWYwT6BuzQdctUCn93j6XzxRLBT4BCFC9SWs-7QgmE9fdiZgdAq2DMylw1Syb01chqOxuspDZ1mpad-SAngJLGiAqjYd6pqIN-dISfBvdr8PXhPU4rcjLQDilwq5i0Pk_uO8bplZN2-0tSu7Zc/s980/Screenshot%202023-08-07%20at%2011.12.10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="886" data-original-width="980" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaaIYfBbOwzOJhu32BSTbjEOP_J8MgbLhyP87tAyRw4wWYwT6BuzQdctUCn93j6XzxRLBT4BCFC9SWs-7QgmE9fdiZgdAq2DMylw1Syb01chqOxuspDZ1mpad-SAngJLGiAqjYd6pqIN-dISfBvdr8PXhPU4rcjLQDilwq5i0Pk_uO8bplZN2-0tSu7Zc/s16000/Screenshot%202023-08-07%20at%2011.12.10.png" /></a></div><div><br /><div><ul style="text-align: left;"><li id="nicslab"><b>Crowdsourced AI += NICS Lab. </b>We’ve extended our Crowdsourced AI initiative with a generative AI model from a research group of the Computer Science Department at the University of Malaga. The new model processes PowerShell files, not only strengthening our collective understanding of the code and its behavior, but also providing verdicts on the potential threat level of each file - categorizing them as malicious, suspicious, or benign. <a href="https://www.virustotal.com/gui/file/868495ade88c2bd3fe5630e9c7a11d0ba1b24ad429b3f156026b5e1625f89e8d">See example</a>.</li></ul></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDbzyhwO4Vqvrv5F4E9EqaA8wYsEnAw9NvfuwpbuF1wxIgdv2TpGp5n1Aif8YKxGmWB14hr9kUF6UiiU6xxob0oS6ioAQC2W0cqH0_mPg3xJfTYqNhVl8H6JINCpkxMTKgfARUYAkSkFoqtdaIKO81NWVSbaGE7GXPlLSOHaU9Z780TAXTmazCk14miHY/s1878/Screenshot%202023-08-07%20at%2011.13.35.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="882" data-original-width="1878" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDbzyhwO4Vqvrv5F4E9EqaA8wYsEnAw9NvfuwpbuF1wxIgdv2TpGp5n1Aif8YKxGmWB14hr9kUF6UiiU6xxob0oS6ioAQC2W0cqH0_mPg3xJfTYqNhVl8H6JINCpkxMTKgfARUYAkSkFoqtdaIKO81NWVSbaGE7GXPlLSOHaU9Z780TAXTmazCk14miHY/s16000/Screenshot%202023-08-07%20at%2011.13.35.png" /></a></div><div><br /></div><div><ul style="text-align: left;"><li id="keepingstate"><b>Keeping state around expansions and contractions of Behaviour sections. </b>VirusTotal does not only run multiple antivirus/EDR solutions on files, it also brings together multiple sandbox dynamic analysis setups. These days we aggregate over 15 sandboxes covering 4 major operating systems (Windows, Linux, Android, OS X) and producing insights such as created/deleted files, registry keys set, contacted domains, synchronization mechanisms, etc. The output of these sandboxes is displayed in the <a href="https://www.virustotal.com/gui/file/1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e/behavior">Behavior tab of file reports</a>. The information displayed in this tab is extremely exhaustive, we acknowledge that some users may only be interested in certain sections such as network communications. In order to improve relevance and discoverability, we are now storing state around section header contractions and expansions. This provides a personalized experience whereby upon loading new file reports users see the information that they deem important first. </li></ul></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9l3Gc_RI-7PMjQgG04VZcmcFtKZnvfdFgB3Xh3eOsJJNfXvPXP2kqghBXspEwTh5dldfEOpOSUdNDxRrm5GafsfZKny-GgFP5efaZN588uz2-_Q3jSskeYr_bQg9Tt9CKBte-_nv9TPtfTCkcEYFH4UINzu3aAPnqM4sCdrV6z7LbMKr1NY2KAZbe5M/s2518/Screenshot%202023-08-07%20at%2011.15.00.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1416" data-original-width="2518" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9l3Gc_RI-7PMjQgG04VZcmcFtKZnvfdFgB3Xh3eOsJJNfXvPXP2kqghBXspEwTh5dldfEOpOSUdNDxRrm5GafsfZKny-GgFP5efaZN588uz2-_Q3jSskeYr_bQg9Tt9CKBte-_nv9TPtfTCkcEYFH4UINzu3aAPnqM4sCdrV6z7LbMKr1NY2KAZbe5M/s16000/Screenshot%202023-08-07%20at%2011.15.00.png" /></a></div><div><br /></div><div><ul style="text-align: left;"><li id="2faflags"><b>Flags for users with active 2FA authentication and corresponding search filters. </b>VirusTotal has been continually maturing on the enterprise readiness front, following our work on <a href="https://releases.virustotal.com/2022/04/april-11th-2022-saml-authentication.html">SSO/SAML</a> or <a href="https://blog.virustotal.com/2022/11/service-accounts-are-here-to-help.html">service accounts</a>, we continue to improve security controls. Group administrators now see a “2FA” badge next to users with active two-factor authentication in group user listings. Similarly, administrators can also filter those listings to focus on users that have or do not have active 2FA.</li></ul></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheQ1N-S2fQP5hejV8g-wJLQTM8TLxW6oCLGpKmyx9ztK7OlkTdDAQkSv1BhysEPtJd504lGjYfD_7MJUtpzFMftzDZGQbho12PGMWS4vea_6vOeN8iyBd0o-YmqZDVhYq_Jg37v4xdirJksyMrLLcmdefObjE6xHSNaF3ODiaW1VtlxoPN_tliVgUqopc/s912/Screenshot%202023-08-07%20at%2011.16.15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="832" data-original-width="912" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheQ1N-S2fQP5hejV8g-wJLQTM8TLxW6oCLGpKmyx9ztK7OlkTdDAQkSv1BhysEPtJd504lGjYfD_7MJUtpzFMftzDZGQbho12PGMWS4vea_6vOeN8iyBd0o-YmqZDVhYq_Jg37v4xdirJksyMrLLcmdefObjE6xHSNaF3ODiaW1VtlxoPN_tliVgUqopc/s16000/Screenshot%202023-08-07%20at%2011.16.15.png" /></a></div><br /><div><br /></div></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-89051962335375792262023-07-31T03:27:00.005-07:002023-08-10T03:03:12.066-07:00July 31st, 2023 - Malware trends report and adversary intelligence improvements<h3 style="text-align: left;">What's new?</h3><ul style="text-align: left;"><li id="malware_trends_report"><b style="font-weight: bold;">VirusTotal's malware trends report: Emerging Formats and Delivery Techniques. </b>We just released a new edition of our “VirusTotal Malware Trends Report” series, where we share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on “Emerging Formats and Delivery Techniques”. <a href="https://assets.virustotal.com/reports/2023emerging.pdf">Read the report</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjiN4SrJJcKS1fXEdSKBctDycOKyBkmUPh2Gs1ewc2H23TbpEdcpGIDTGViyyg4v4yz08yqYJEXikNuMRQQubKmq4rJmJU_aWL4qXuy5rGFmkuH3tynPT3M8Scx_26qhcYfLa-2Ckkts5Mb0GVyv5e6uGpVNUnH2pU5dM_WEZPCz7vbTLRJFzYVuWyQ7M/s733/Frame%2096%20(1).png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="676" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjiN4SrJJcKS1fXEdSKBctDycOKyBkmUPh2Gs1ewc2H23TbpEdcpGIDTGViyyg4v4yz08yqYJEXikNuMRQQubKmq4rJmJU_aWL4qXuy5rGFmkuH3tynPT3M8Scx_26qhcYfLa-2Ckkts5Mb0GVyv5e6uGpVNUnH2pU5dM_WEZPCz7vbTLRJFzYVuWyQ7M/s16000/Frame%2096%20(1).png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><ul style="text-align: left;"><li id="threat_card_summary"><b>Adversary Intelligence knowledge card summaries. </b>VirusTotal’s <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">Threat Landscape</a> module incorporates {attribution, threat actor profiling, campaign & toolkit knowledge cards} into our top VirusTotal packages, allowing users to climb the pyramid of pain, moving from IoC matching into more of operational/strategic intelligence through TTPs, behavioral patterns and adversary profiling. We’ve improved {campaign/malware toolkit, threat actor, reference} cards with an initial summary tab concisely recording notions such as group aliases, motivations, targeted industries, targeted regions, suspected sponsors, related collections, relevant reporting, exploited vulnerabilities, etc. <a href="https://www.virustotal.com/gui/threat-actor/68391641-859f-4a9a-9a1e-3e5cf71ec376">See example</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaGGZGlZlIHnTgX1HjM6fsIOVOk72e4GAl3c8Hdh9D4EztuSNC88F2OFvx5INN8OVBc0UiZMNfKckwhGH3Pjvve2wZs0ZUOYF-hYLzW6rDObjkc0pseP5Oa8Xp8KHoiGyz6JrzATDtX30tHV7Toi79GkL_ITx32rwp86BgZvl3_uezWFgpQbofLyuHanI/s1323/Screenshot%202023-07-31%20at%2010.53.32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="1323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaGGZGlZlIHnTgX1HjM6fsIOVOk72e4GAl3c8Hdh9D4EztuSNC88F2OFvx5INN8OVBc0UiZMNfKckwhGH3Pjvve2wZs0ZUOYF-hYLzW6rDObjkc0pseP5Oa8Xp8KHoiGyz6JrzATDtX30tHV7Toi79GkL_ITx32rwp86BgZvl3_uezWFgpQbofLyuHanI/s16000/Screenshot%202023-07-31%20at%2010.53.32.png" /></a></div><div style="font-weight: bold;"><b><br /></b></div><ul style="text-align: left;"><li id="new_filters"><b style="font-weight: bold;">New filters across adversary intelligence knowledge cards. </b>We’ve further improved the aforementioned knowledge cards and adversary intelligence listings by consolidating filtering capabilities with a new and more intuitive drop-down paradigm.</li></ul><div class="separator" style="clear: both; font-weight: bold; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMludbEtloVrTBqaRwpmE6YM96eEGfmQBApFWcrKPLmbhnc62zSEYW8GPE-PZ3_a1sk9YSvJjtmIBvM_dghrlcMX7groUFxgi46RN_v4dCMU99XJzMRCcbppxL2_4iQTRXwzn6JMzkmtG4Hhpvez5bfpWp7tMK8PP_a-xezg219cJFYWzEoAn0bPn1IYY/s1359/Screenshot%202023-07-31%20at%2010.55.38.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="367" data-original-width="1359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMludbEtloVrTBqaRwpmE6YM96eEGfmQBApFWcrKPLmbhnc62zSEYW8GPE-PZ3_a1sk9YSvJjtmIBvM_dghrlcMX7groUFxgi46RN_v4dCMU99XJzMRCcbppxL2_4iQTRXwzn6JMzkmtG4Hhpvez5bfpWp7tMK8PP_a-xezg219cJFYWzEoAn0bPn1IYY/s16000/Screenshot%202023-07-31%20at%2010.55.38.png" /></a></div><div style="font-weight: bold;"><b><br /></b></div><ul style="text-align: left;"><li id="improve_labelling"><b style="font-weight: bold;">Improved labelling of regions, industries, etc. in references and their corresponding automated IoC collections.</b> We are continuously improving the breadth and depth of our adversary intelligence knowledge cards. Along with the aforementioned summaries, you may have noticed a significantly higher number of reference cards with attribution, victimology and other threat activity profiling labels (<a href="https://www.virustotal.com/gui/reference/889ff4a56296a2f0dd28edb3febe7b821316de13bceea2d2aa0aab92af3ee10a">see example reference card</a>). In turn, these labels are also being applied to the automatic IoC collections being created for all ingested threat articles. <a href="https://www.virustotal.com/gui/collection/alienvault_64c131d13447ec7826c8ac6f">See example of automatic IoC collection tied to a given reference</a>. We continue to iterate on the completeness of the dataset from a threat actor profiling perspective and soon you will see greater coverage of threat groups. </li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8lL7c2BD5qV2DAw5cCSOZdOpU-Fj70QtmCiCndEW1RzDvjPO7canmZnXh9g1CxNanxJQMNz7bDeUwpUEq3NHnxgyIul8y3jqTAP6M5mtojMqu0doD0TS5F8oB_-JStEgkAeIG-b5_f8Np9CcACYNqvGwUwlUZAqHWTEKcCNCXgDYK2aOOusu9yY6f_y4/s1317/Screenshot%202023-07-31%20at%2011.00.14.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="675" data-original-width="1317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8lL7c2BD5qV2DAw5cCSOZdOpU-Fj70QtmCiCndEW1RzDvjPO7canmZnXh9g1CxNanxJQMNz7bDeUwpUEq3NHnxgyIul8y3jqTAP6M5mtojMqu0doD0TS5F8oB_-JStEgkAeIG-b5_f8Np9CcACYNqvGwUwlUZAqHWTEKcCNCXgDYK2aOOusu9yY6f_y4/s16000/Screenshot%202023-07-31%20at%2011.00.14.png" /></a></div><br /><ul style="text-align: left;"><li id="new_properties_commonalities"><b>New properties in commonality calculations.</b> When performing VT INTELLIGENCE <a href="https://storage.googleapis.com/vt-gtm-wp-media/virustotal-for-investigators.pdf">reverse searches</a>, or when looking at <a href="https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html">collections of IoCs</a>, <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt">Retrohunts</a> or other IoC listings, users can quickly understand what do the IoCs have in common in terms of technical static and dynamic features through the “commonalities” functionality. We have added portable executable section properties to commonality calculations.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifwv4AxpR3DDRDS4baBykmLXJxPn-eBFhvS-1sCYkrNlW7rJwkY075QR6yxc62O6cqiqkz_9TV69WvNf3k5Ab0M3RI7x9GKHCemSSuT2cQ3EoYftm9uulSaJczIn3WAgQ-T-XRYvzq-jsOLsU0gorikudLQGSMBhPiHalZF5XnOzc1i3hM3y_M4cLtwns/s490/Screenshot%202023-07-31%20at%2012.25.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="227" data-original-width="490" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifwv4AxpR3DDRDS4baBykmLXJxPn-eBFhvS-1sCYkrNlW7rJwkY075QR6yxc62O6cqiqkz_9TV69WvNf3k5Ab0M3RI7x9GKHCemSSuT2cQ3EoYftm9uulSaJczIn3WAgQ-T-XRYvzq-jsOLsU0gorikudLQGSMBhPiHalZF5XnOzc1i3hM3y_M4cLtwns/s16000/Screenshot%202023-07-31%20at%2012.25.51.png" /></a></div><br />Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-8698300473386592082023-07-24T03:47:00.001-07:002023-08-10T02:58:31.993-07:00July 24th, 2023 - Crowdsourced AI, new VT INTELLIGENCE search modifiers, following IoCs, Livehunt for network indicators and more<h3 style="text-align: left;">What’s new?</h3><ul style="text-align: left;"><li id="crowdsourced_ai"><b>Crowdsourced AI.</b> Mirroring our efforts to improve the industry’s threat visibility via crowdsourcing of antivirus/nextgen/EDR verdicts, dynamic analysis sandbox analyses, crowdsourced {YARA, SIGMA, IDS} rule detections, etc. we are now also bringing together cutting edge AI/ML models from the security community to detect, explain and contextualize threats. <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">Hispasec has been the very first partner joining this effort</a>, their LLM technology produces verdicts and malware analyst copilot explanations around malicious documents, including dissection and code analysis of macros.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUJ03jm59b7QzfYApLpPRUoXKIueW5ptmwunCeC6hUD-1SiME7qmpnIfWRuoSzf4ev5zmB7Brw4LJSctXhdUht8TV_eiTDU8dVv1jjXc9XnEwhMTBW_SFuBkk1C1EowRJxRYogvuSun5CCkEbyLMQGuxIhcSVNVjQejvJ3mFOuo7B6Ls_uo-p6uF5cImg/s1860/pasted%20image%200.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1076" data-original-width="1860" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUJ03jm59b7QzfYApLpPRUoXKIueW5ptmwunCeC6hUD-1SiME7qmpnIfWRuoSzf4ev5zmB7Brw4LJSctXhdUht8TV_eiTDU8dVv1jjXc9XnEwhMTBW_SFuBkk1C1EowRJxRYogvuSun5CCkEbyLMQGuxIhcSVNVjQejvJ3mFOuo7B6Ls_uo-p6uF5cImg/s16000/pasted%20image%200.png" /></a></div><div><br /><ul style="text-align: left;"><li id="new_modifiers"><b>New VT INTELLIGENCE search modifiers. </b><a href="https://www.virustotal.com/gui/intelligence-overview">VT INTELLIGENCE</a> is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers:</li><ul><ul><ul><li><b>crowdsourced_ai_verdict.</b> Example: <a href="https://www.virustotal.com/gui/search/crowdsourced_ai_verdict%253Amalicious/files">crowdsourced_ai_verdict:malicious</a>. List all IoCs flagged as malicious by at least one <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI solution</a>.</li><li><b>crowdsourced_ai_positives.</b> Example: <a href="https://www.virustotal.com/gui/search/crowdsourced_ai_positives%253A1%252B/files">crowdsourced_ai_positives:1+</a>. List all IoCs flagged as malicious by a given number of <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI solutions</a>.</li><li><b>crowdsourced_ai_analysis.</b> Example: <a href="https://www.virustotal.com/gui/search/crowdsourced_ai_analysis%253A%2522discord%2520bot%2522/files">crowdsourced_ai_analysis:"discord bot"</a>. Searches inside the human readable output of all <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI solutions</a>.</li><li><b>{crowdsourced_ai_engine_name}_ai_verdict.</b> Example: <a href="https://www.virustotal.com/gui/search/hispasec_ai_verdict%253Amalicious/files">hispasec_ai_verdict:malicious</a>. List all IoCs flagged as malicious by a given <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI solution</a>.</li><li><b>{crowdsourced_ai_engine_name}_ai_analysis. </b>Example: <a href="https://www.virustotal.com/gui/search/hispasec_ai_analysis%253Adownloads/files">hispasec_ai_analysis:downloads</a>. Searches inside the human readable output of a given <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI solution</a>.</li><li><b>goresym.</b> Example: <a href="https://www.virustotal.com/gui/search/goresym%253A%25E2%2580%259D-s%2520-w%25E2%2580%259D">goresym:”-s -w”</a>. Searches within the output of the <a href="https://blog.virustotal.com/2023/01/mandiants-capa-goresym-to-reinforce-vts.html">Goresym file analysis tool</a>.</li></ul></ul></ul></ul><ul style="text-align: left;"><li id="follow_hunting"><b>New findings about interesting IoCs via out-of-the-box Livehunt rule templates. </b>VirusTotal {domain, IP address, URL, file} analysis reports now include a new entry in the top header action menu labeled “Follow”. By actioning it you can now create out-of-the-box YARA rules to get notifications on new URLs distributing a given malware sample, new files being downloaded from known malicious infrastructure, new IP address resolutions for a known malicious domain, new subdomains for a given domain, etc. This should ease the task of tracking threat campaigns and democratizes the use of YARA within VirusTotal, beyond advanced binary pattern matching.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWxmYwL9rZZhIxCC5NCX3FpryeqgzbsxoJnghoTtbII-3o_oykkBo5YvU-kq9dGCe4yQu8hsDCJQLQLhJKJtmvuf_hLbFtdeoTTNTOdhmcGZRte1WvoyRLzV66FkkhU2M4eXYjGkqfhMH0BDphN2IcO6eQB2mLM66jdiwPvjuYUKyfeEJHfJ6rebs8Mg/s1026/Screenshot%202023-07-21%20at%2013.16.15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="898" data-original-width="1026" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWxmYwL9rZZhIxCC5NCX3FpryeqgzbsxoJnghoTtbII-3o_oykkBo5YvU-kq9dGCe4yQu8hsDCJQLQLhJKJtmvuf_hLbFtdeoTTNTOdhmcGZRte1WvoyRLzV66FkkhU2M4eXYjGkqfhMH0BDphN2IcO6eQB2mLM66jdiwPvjuYUKyfeEJHfJ6rebs8Mg/s16000/Screenshot%202023-07-21%20at%2013.16.15.png" /></a></div><br /><ul style="text-align: left;"><li id="net_hunting"><b>VT HUNTING Livehunt for network indicators. </b><a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html">Read launch announcement blog post</a>.<b> </b><a href="https://www.virustotal.com/gui/hunting-overview">VT Hunting</a> <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunt</a> allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Livehunt YARA matching in VirusTotal is far richer than standalone, as we allow users to match not only the binary contents of files but also static/dynamic/code analysis properties and other metadata <a href="https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt">via the “vt” YARA module</a>. We are now extending Livehunt’s matching capabilities to cover <a href="https://developers.virustotal.com/docs/nethunt">domains, IP addresses and URLs</a>. This allows analysts to discover new artifacts and infrastructure tied to a known campaign, unearth new infrastructure being leveraged by popular malware toolkits, perform attack surface management, identify phishing campaigns against their organizations, etc. This is a non-exhaustive <a href="https://developers.virustotal.com/docs/nethunt-examples">list of examples to get you started</a>, we’ve also kicked off a <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara">public Github repo to crowdsource rules from the community, Mandiant has been the first contributor</a>, thank you!</li></ul><ul style="text-align: left;"><li id="health_report"><b>Healthcare industry investigation. </b>We have performed an investigation into the healthcare industry's threat landscape for 2023H1. Most Health Industry targets were victims of ransomware attempts conducted by generic cybercrime gangs. There are few exceptions where Health institutions were targeted as part of cyberespionage actor operations, Yoro Trooper being a notable exception. <a href="https://assets.virustotal.com/reports/HealthSector-H1-23.pdf">Check our findings</a> summary.</li></ul></div><h3 style="text-align: left;">What’s been fixed?</h3><div><ul style="text-align: left;"><li id="fix_progress_retrohunt">When a <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt">Retrohunt</a> job is created using the YARA rule editor, the VirusTotal web UI shows a toast with the message “Retrohunt launched! Go”. When the “Go” link is clicked, a new tab with the list of Retrohunt jobs is opened. The new job was shown with the status “0% Starting” indefinitely because its progress was not tracked in the background unless the user reloaded the tab. We have now fixed this to asynchronously retrieve the progress status.</li></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-7684869367215879972023-07-19T05:49:00.004-07:002023-08-10T02:52:51.341-07:00July 17th, 2023 - Recap on latest rollouts, from generative AI to integration in 3rd-party technologies We are picking up our weekly release notes once again. This very first 2023 edition is a recap of noteworthy rollouts from the last months.<div><br /><h3 style="text-align: left;">What’s new?</h3><ul style="text-align: left;"><li id="new_partners"><b>New security vendor partnerships.</b> VirusTotal is all about aggregating orthogonal threat detection and contextualization technologies in an effort to increase threat visibility and democratize knowledge about threats. We’ve been busy integrating new complementary vendors, including: ArcSight / Micro Focus (IP/domain/URLs), SOCRadar (IP/domain/URLs), DuskRise Cluster25 (IP/domain/URLs), PrecisionSec (IP/domain/URLs), Docguard (CDR/sandboxing), Deep Instinct (files), BKav PRO (files), Google (files), AI Spera / Criminal IP (IP/domain), Crowdsec (IP/domain/URL), AlphaSOC (IP/domain/URLs).</li></ul><ul style="text-align: left;"><li id="generative_ai"><b>Generative AI.</b> As part of our aforementioned efforts around aggregating orthogonal threat detection and contextualization technologies, we have rolled out a malware analyst copilot experience in VirusTotal, both <a href="https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html">homegrown LLM explanation of scripts (VT Code Insight)</a> and a <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html">crowdsourced AI</a> initiative where partners contribute their models to provide differentiated insights into threats. Generative AI is also being used to <a href="https://blog.virustotal.com/2023/06/ai-boosts-code-language-and-file-format.html">improve file format identification</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvEUxE7Mwi-0M3SCwvcqpPGXxU-Bex6mNkZyRLbyQcfjVqTthUXD6S0ABymeum72FUK52V4py0zyCLaLLN8R_syPYJC4hC2NAGfNqVEnDh5XyLmRmjkfWMYN8BDkSY7pqZ8H4gB5VxrTOoVjoU95T0fhLwiYrO7qaqhh7nPqJ5p6C6MLw5gFrUUB84ieM/s1600/genai.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1132" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvEUxE7Mwi-0M3SCwvcqpPGXxU-Bex6mNkZyRLbyQcfjVqTthUXD6S0ABymeum72FUK52V4py0zyCLaLLN8R_syPYJC4hC2NAGfNqVEnDh5XyLmRmjkfWMYN8BDkSY7pqZ8H4gB5VxrTOoVjoU95T0fhLwiYrO7qaqhh7nPqJ5p6C6MLw5gFrUUB84ieM/s16000/genai.png" /></a></div><br /><ul style="text-align: left;"><li id="session_controls"><b>Session expiration age and other enterprise readiness security controls.</b> VirusTotal has been continually maturing on the enterprise readiness front, following our work on <a href="https://releases.virustotal.com/2022/04/april-11th-2022-saml-authentication.html">SSO/SAML</a> or <a href="https://blog.virustotal.com/2022/11/service-accounts-are-here-to-help.html">service accounts</a>, we’ve been implementing advanced security controls such as:</li><ul><ul><ul><li>Custom session age - as an admin, check your group settings page.</li><li>Custom inactivity timeouts - as an admin, check your group settings page.</li><li>Latest account connections, to spot anomalous activity - only visible to each user, in their <a href="https://www.virustotal.com/gui/settings">settings page</a>.</li></ul></ul></ul></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT9xvuA5zJol4jkl43bZZNMHoD8m1g3g0HLpW9pGtTftgAQoqsaILyO5w7NcMEUpko9X9Uyjkrf_ICKqsNyhpjEF9-4X-qSDf2fnNpd-JUcjzkfSQmP4wP0-Xk0j09bXPcCOBkPWKwUvHvztUFIECIYnULbiceUr44Vini3yowUvQvHDo1sd87nMlPKF4/s1290/Screenshot%202023-07-19%20at%2014.15.29.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="444" data-original-width="1290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT9xvuA5zJol4jkl43bZZNMHoD8m1g3g0HLpW9pGtTftgAQoqsaILyO5w7NcMEUpko9X9Uyjkrf_ICKqsNyhpjEF9-4X-qSDf2fnNpd-JUcjzkfSQmP4wP0-Xk0j09bXPcCOBkPWKwUvHvztUFIECIYnULbiceUr44Vini3yowUvQvHDo1sd87nMlPKF4/s16000/Screenshot%202023-07-19%20at%2014.15.29.png" /></a></div><br /><ul style="text-align: left;"><li id="group_management"><b>Easier group and user management. </b>Managing users within a VT group could be an arduous task for some group admins. To ease this task, we have incorporated the possibility to filter users by type (member or admin), username, name or email. Admins could also download a list of all VT users in the group in a CSV or JSON format.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLZqGce0t83LkgVO-UYvfRyQFxb72Q2q2hoiRsH0hBDd8IXAmfTjucrt5rFE5KyecH_lu25NR49ZOl-4933K6xXUpOw0cVy8C3cG6IgCGPy6zBOz9immtBF8CUPR4PMekRvlzg986w1d00P0N2SAVidsXqss7UP3hYjo4ko5l8AnJJ78EZPni9seCSGBE/s1578/Screenshot%202023-07-19%20at%2022.21.22.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="364" data-original-width="1578" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLZqGce0t83LkgVO-UYvfRyQFxb72Q2q2hoiRsH0hBDd8IXAmfTjucrt5rFE5KyecH_lu25NR49ZOl-4933K6xXUpOw0cVy8C3cG6IgCGPy6zBOz9immtBF8CUPR4PMekRvlzg986w1d00P0N2SAVidsXqss7UP3hYjo4ko5l8AnJJ78EZPni9seCSGBE/s16000/Screenshot%202023-07-19%20at%2022.21.22.png" /></a></div><br /><ul style="text-align: left;"><li id="new_modifiers"><b>New VT Intelligence search modifiers and autocompletion.</b> <a href="https://www.virustotal.com/gui/intelligence-overview">VT INTELLIGENCE</a> is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers. Additionally, <a href="https://blog.virustotal.com/2022/05/introducing-autocomplete-for-virustotal.html">queries are now autocompleted</a>, this should ease hunting and constant back and forth between VT ENTERPRISE and the <a href="https://support.virustotal.com/hc/en-us/articles/360001385897-VT-Intelligence-search-modifiers">search modifiers documentation</a>.</li><ul><ul><ul><li><a href="https://blog.virustotal.com/2023/05/virustotal-mandiant-permhash-unearthing.html">permhash</a>.</li><li><a href="https://www.virustotal.com/gui/search/detectiteasy%253A%2522Compiler%253A%2520EP%253AMicrosoft%2520Visual%2520C%252FC%252B%252B%2520(2017%2520v.15.5-6)%2520%255BEXE32%255D%2522/files">detectiteasy</a>.</li><li><a href="https://www.virustotal.com/gui/search/malware_config%253Aredline">malware_config</a>.</li><li><a href="https://www.virustotal.com/gui/search/attack_tactic%253ATA0005">attack_tactic</a>.</li><li><a href="https://www.virustotal.com/gui/search/attack_technique%253AT1497">attack_technique</a>.</li></ul></ul></ul></ul><ul style="text-align: left;"><li id="new_properties_commonalities"><b>New properties in commonality calculations. </b>When performing the aforementioned VT INTELLIGENCE <a href="https://storage.googleapis.com/vt-gtm-wp-media/virustotal-for-investigators.pdf">reverse searches</a>, or when looking at <a href="https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html">collections of IoCs</a>, <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt">Retrohunts</a> or other IoC listings, users can quickly understand what do the IoCs have in common in terms of technical static and dynamic features through the “commonalities” functionality. We are now aggregating and ranking new notions such as malware family names, C2s, etc:</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVVhN0ILxohdypsANNomMIQc89HgX4Ng0iS1iGTfGgHUtkY-vBQEnZiZpSZE3AQrtET6utMqBXrvleXs2IHuwo82suFpMEbKbj8z9eSYtKsB0wCLYvkgSLvuAZ_qt3qCPOowYx2MPrzDjMjSetrSMfn4NF1vgbmyLRhhfZvkl5HMBrHgo2ECcbek6WQQE/s514/Screenshot%202023-07-19%20at%2014.18.01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="256" data-original-width="514" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVVhN0ILxohdypsANNomMIQc89HgX4Ng0iS1iGTfGgHUtkY-vBQEnZiZpSZE3AQrtET6utMqBXrvleXs2IHuwo82suFpMEbKbj8z9eSYtKsB0wCLYvkgSLvuAZ_qt3qCPOowYx2MPrzDjMjSetrSMfn4NF1vgbmyLRhhfZvkl5HMBrHgo2ECcbek6WQQE/s16000/Screenshot%202023-07-19%20at%2014.18.01.png" /></a></div><br /><ul style="text-align: left;"><li id="threat_landscape"><b>Extending VT ENTERPRISE with adversary intelligence. </b>Since our last release notes we have rolled out adversary intelligence (attribution, threat actor profiling, campaign & toolkit knowledge cards) into our top VirusTotal packages, this new functionality is shipped under the Threat Landscape module and it allows users to climb the pyramid of pain, moving from IoC matching into more of operational/strategic intelligence through TTPs, behavioral patterns and adversary profiling. <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">Learn more</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHs_qSsCUibP1XOK2hPqTHmpP7a3H-eG_C5xp0ivZbuHXHS7uyejH-WL4enXTICQFEj4mbILPCL1waJarbTCHqqYFLiahw8SpmAm9OzQfV-2Q2PG2R4fugRw27bnZotRGbSuTr_FPRNFHYeHAZ98bumYDP7raX0m5JHBNw0q5PBg1huy_7z7t8gJ-Klhw/s1279/Screenshot%202023-07-19%20at%2014.19.09.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="1279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHs_qSsCUibP1XOK2hPqTHmpP7a3H-eG_C5xp0ivZbuHXHS7uyejH-WL4enXTICQFEj4mbILPCL1waJarbTCHqqYFLiahw8SpmAm9OzQfV-2Q2PG2R4fugRw27bnZotRGbSuTr_FPRNFHYeHAZ98bumYDP7raX0m5JHBNw0q5PBg1huy_7z7t8gJ-Klhw/s16000/Screenshot%202023-07-19%20at%2014.19.09.png" /></a></div><div><br /></div><ul style="text-align: left;"><li id="ioc_stream"><b>IoC Stream as a vehicle to generate tailored relevant threat feeds.</b> Building on the aforementioned new <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf">Threat Landscape module</a>, we have rolled out the ability to subscribe or follow specific threat actors/campaigns/toolkits/incidents. When following a given threat entity, you get notified about any new IoC related to it. For instance, you would receive live notifications whenever a threat actor you are interested in starts to make use of a new command-and-control domain. These notifications now enter each user’s personal <a href="https://blog.virustotal.com/2023/06/actionable-threat-intel-ii-ioc-stream.html">IoC stream</a>, which is the pipe where all VT ENTERPRISE tailored IoC notifications are being centralized. Indeed, Livehunt YARA rule matches now also populate personal IoC streams. This creates an easy vehicle to generate custom feeds based on threats that matter to your organization, providing a centralized hub to receive all your notifications.</li></ul><ul style="text-align: left;"><li id="popular_threat_labels"><b>Popular threat categories and labels.</b> Security teams are often tasked with shedding light on the who/what/why/when/how of an incident. As part of this activity, identifying the malware family behind an attack is crucial for several reasons: understanding threat’s capabilities, tailoring incident response, attribution and tracking, risk assessment and impact analysis, etc. In order to accelerate malware family/toolkit identification we are now digesting multi-antivirus verdicts into overall popular categories and threat labels, ranked by prevalence, <a href="https://www.virustotal.com/gui/file/fade9ed878c9f25ec0e425aec123bfe1bf4e46112ca4d294c0babee29c4faddc">example</a>. This data can also be <a href="https://developers.virustotal.com/reference/popular_threat_classification">retrieved programmatically via API</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaNWZtcL3EKCztM3pP2pr1sUGnkVa5llDRFKSfjiZ-rL3nNdnFQb4JO1wteKf8D8l4c6eES8T3spDEcmF0YEQSiU1432TgzlGD7CxwVw1E9cEMJAW0Iw7NrsSfAQrlJcFP-Pxdt-tibqAlzQvEpX0cmBP5KsYw7o0pI7l4PUDFyKvdwX_mUszC7mr4OJQ/s1151/Screenshot%202023-07-19%20at%2014.20.12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="217" data-original-width="1151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaNWZtcL3EKCztM3pP2pr1sUGnkVa5llDRFKSfjiZ-rL3nNdnFQb4JO1wteKf8D8l4c6eES8T3spDEcmF0YEQSiU1432TgzlGD7CxwVw1E9cEMJAW0Iw7NrsSfAQrlJcFP-Pxdt-tibqAlzQvEpX0cmBP5KsYw7o0pI7l4PUDFyKvdwX_mUszC7mr4OJQ/s16000/Screenshot%202023-07-19%20at%2014.20.12.png" /></a></div><br /><ul style="text-align: left;"><li id="malware_config"><b>Improved malware configuration extraction.</b> VirusTotal does not only analyze files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts. One of the dynamic analysis sandboxes in which we detonate uploaded files, Zenbox, has been automatically <a href="https://www.virustotal.com/gui/file/a811117e3b059fa3f8df9c1085f4f56f8c9b45739ce26bbadd76cd03508d349b/detection">decoding/decrypting configuration files for known malware families</a> for a while now (see “Malware configuration” section in the file analysis Details tab). We have extended this setup and added Mandiant’s Backscatter as yet one more system understanding common malware families and extracting configuration files, <a href="https://www.virustotal.com/gui/file/f5294dffbb3bf3a72daa364811ad6b27f6f9e0cbf1d347bc253ceeb3d40a9655/details">see example</a>. Backscatter will identify malware families, C2s, decoys, dropzones, etc. The entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - <a href="https://www.virustotal.com/gui/search/malware_config%253Aamadey">malware_config:amadey</a>. This effort will also soon be leveraged to tag network indicators with the corresponding family and infrastructure categorization.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN_vz237ltmE2x_piTEhiNDygM5Ky4rz7vNqvG8YGlDoGsjFb-T1n5DmesLDp6tmmGzrWnyed7jJcENGyHguXdHcshxEReE1T0uilou2HLbVOtMejVuhZk7WlBC6ytZHy4Nd5UH66k0M-aQdFZwPbwciUqCrwuNQrTnigUYpYXLGmD2d7EwMax1okRXUE/s964/Screenshot%202023-07-19%20at%2014.21.04.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="964" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN_vz237ltmE2x_piTEhiNDygM5Ky4rz7vNqvG8YGlDoGsjFb-T1n5DmesLDp6tmmGzrWnyed7jJcENGyHguXdHcshxEReE1T0uilou2HLbVOtMejVuhZk7WlBC6ytZHy4Nd5UH66k0M-aQdFZwPbwciUqCrwuNQrTnigUYpYXLGmD2d7EwMax1okRXUE/s16000/Screenshot%202023-07-19%20at%2014.21.04.png" /></a></div><br /><ul style="text-align: left;"><li id="mitre_navigator"><b>MITRE ATT&CK TTPs and open in/download for MITRE ATT&CK Navigator.</b> The aforementioned myriad of home-grown, open source and 3rd-party tools running on artifacts uploaded to VirusTotal includes 15+ dynamic analysis sandboxes and <a href="https://github.com/mandiant/capa">Mandiant CAPA</a>. Both Mandiant CAPA and some of the sandboxes that we aggregate map out execution observations into MITRE ATT&CK tactics and techniques and <a href="https://github.com/MBCProject/mbc-markdown">Malware Behavior Catalog</a> behaviors. <a href="https://www.virustotal.com/gui/file/10e881fd9f7ebfe20fcd580f5fc0bb9617cd62d01d347fdcb32c63dbe0f3dac0/behavior">See example report</a>, note that tactics and techniques are pivotable. These ATT&CK mappings are now also available as reverse searches in VT INTELLIGENCE, example - <a href="https://www.virustotal.com/gui/search/attack_technique%253AT1027%2520AND%2520attack_technique%253AT1140/files">attack_technique:T1027 AND attack_technique:T1140</a>. Similarly, techniques <a href="https://support.virustotal.com/hc/en-us/articles/360007088057">can be matched via Livehunt YARA rules</a>:</li></ul></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><b>for any technique in vt.behaviour.mitre_attack_techniques : ( </b></div><div><b><br /></b></div></blockquote><div style="text-align: left;"> <b><br /></b></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;"><b>technique.id == "t1012"</b></div></blockquote></blockquote><div style="text-align: left;"><b><br /></b></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;"><b>)</b></div></blockquote><div style="text-align: left;"><br /></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;">Last, but not least, we’ve included a shortcut on dynamic analysis reports to open these TTP mappings in <a href="https://mitre-attack.github.io/attack-navigator/">MITRE ATT&CK Navigator</a> or to download them as a JSON and import them in similar tools. The shortcut is available in the “Download artifacts” dropdown and on the right of the MITRE ATT&CK section header.</div></blockquote><div><p></p><ul style="text-align: left;"><li id="url_preview"><b>HTTP response content preview for URL analyses.</b> VirusTotal is not only about file scanning, it also contextualizes <a href="https://www.virustotal.com/gui/home/url">URLs</a>, <a href="https://www.virustotal.com/gui/home/search">domains and IPs</a>. Actually, these days VirusTotal’s most prevalent use case is around enriching network indicators. We are now mimicking some of the <a href="https://assets.virustotal.com/vt-360-outcomes.pdf">VT ENTERPRISE</a> capabilities available for file reports and including HTTP response content previews in URL analyses, <a href="https://www.virustotal.com/gui/url/7313335cc7db292963432130da001f6b96cc8c1976089c5b311ec947fb6759e6/content/source">example</a>. Most importantly, these responses are pivotable, meaning that users can click on any substring contained within the response and pivot to other files in VirusTotal’s threat corpus that contain the very same pattern, leveraging <a href="https://support.virustotal.com/hc/en-us/articles/360001386897-Content-search-VTGrep-">VTGREP</a>. This is useful in tracking malware toolkit, campaigns and compromises at scale.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUqRdJaT-wxOSsbRS8LiYqs5czf5qV7DN1pDsy6f-Br3XD__iQFMRjLXCM75mB7yWjppQ-XupqE2AezrBmAWNVWAA8cUdvMkOH4Gz8phVgPZlvJYPZ2ctmxXtPITVGm4ZsFgYHBj8ckRQWukZjdd_UaM9Asu79aYzG42d37W1JnnsTx1ZT_MTv2mb8gDU/s1273/Screenshot%202023-07-19%20at%2014.24.22.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="661" data-original-width="1273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUqRdJaT-wxOSsbRS8LiYqs5czf5qV7DN1pDsy6f-Br3XD__iQFMRjLXCM75mB7yWjppQ-XupqE2AezrBmAWNVWAA8cUdvMkOH4Gz8phVgPZlvJYPZ2ctmxXtPITVGm4ZsFgYHBj8ckRQWukZjdd_UaM9Asu79aYzG42d37W1JnnsTx1ZT_MTv2mb8gDU/s16000/Screenshot%202023-07-19%20at%2014.24.22.png" /></a></div><br /><ul style="text-align: left;"><li id="ip_tags"><b>New IP address tags: proxy, vpn and tor.</b> Examples: <a href="https://www.virustotal.com/gui/search/entity%253Aip%2520tag%253Aproxy/ips">entity:ip tag:proxy</a> / <a href="https://www.virustotal.com/gui/search/entity%253Aip%2520tag%253Avpn/ips">entity:ip tag:vpn</a> / <a href="https://www.virustotal.com/gui/search/entity%253Aip%2520tag%253Ator">entity:ip tag:tor</a>. VirusTotal tags IoCs with relevant labels such as file types, packers, significant dynamic behaviors, etc. We are actually working towards an official tags taxonomy that can immediately contextualize IoCs in ways that may be easily consumed by both humans and machines. As part of such effort we have started to tag IP addresses with the proxy (residential proxies), vpn and tor (tor exit nodes) labels. These tags are dynamic and regularly updated. By enriching their security telemetry with VirusTotal lookups, these tags can help security teams in identifying attacker connections to their infrastructure. Indeed, certain threat groups often use residential proxies, VPNs or TOR nodes to connect to their victim’s infrastructure.</li></ul><ul style="text-align: left;"><li id="rule_editor"><b>New YARA rule editor.</b> <a href="https://www.virustotal.com/gui/hunting-overview">VT Hunting</a> <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunt</a> allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt">Retrohunt</a>. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. To ease livehunting and retrohunting, we have <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iii-introducing.html">rolled out a new YARA rule editor</a> that incorporates rule templates, autocompletion, testing and validation.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDPGnpLNLqoKY_KqDT9ODMkx4VQ0qnO5GOfYVohO_iI3zrx44PAvYX5UHNWNp3UZREqS81CGLSr2kyjiuDJtDkEiMASo2uohPtwf0BuIWE96SB4S3kPakQT5eTvAXdFdvCGPxQeRfYZWpz8ZibUyvg9Cu_oDLzNPP_VrIk8fCeeUuJCZJTv9Cs7EhFBBE/s564/Screenshot%202023-07-19%20at%2014.25.20.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="397" data-original-width="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDPGnpLNLqoKY_KqDT9ODMkx4VQ0qnO5GOfYVohO_iI3zrx44PAvYX5UHNWNp3UZREqS81CGLSr2kyjiuDJtDkEiMASo2uohPtwf0BuIWE96SB4S3kPakQT5eTvAXdFdvCGPxQeRfYZWpz8ZibUyvg9Cu_oDLzNPP_VrIk8fCeeUuJCZJTv9Cs7EhFBBE/s16000/Screenshot%202023-07-19%20at%2014.25.20.png" /></a></div><br /><ul style="text-align: left;"><li id="yara_hub"><b>Crowdsourced YARA hub. </b>Expanding on the above, <a href="https://virustotal.github.io/yara/">YARA rules</a> are an essential tool for detecting and classifying malware, and they are one of VirusTotal’s cornerstones. Other than using your own rules for <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt">Livehunts</a> and <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt">Retrohunts</a>, in VirusTotal we import a number of selected crowdsourced rules provided by contributors to help identify and classify samples (<a href="https://www.virustotal.com/gui/file/de023c627cc2bed3dd738136779a6fb6ad100aef2f75387e60f15d69641c7d31">example report</a>). However, finding, tracking and managing VirusTotal’s crowdsourced YARA rules can be challenging, especially as the number of rules and contributors grow. To address this, <a href="https://blog.virustotal.com/2023/05/actionable-threat-intel-i-crowdsourced.html">we’ve introduced VirusTotal’s Crowdsourced YARA Hub</a>, allowing users to easily search and filter existing rules, track new ones and one-click export any of them to Livehunt and Retrohunt. This is also a vehicle to stay on top of new threats being investigated by the industry. <a href="https://www.virustotal.com/gui/crowdsourced-yara-hub">Go to Crowdsourced YARA Hub</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdkzJMu7yw9iEdAmdzUvXPGbV3pk7ETUSRX5pfyYkhhhgDteGaFARWFSomlBOPUs0kxqtZAxQNST7NNnOxnGhLoVroMH9-ufU4MqdmN8wCygXHwNoSGDCwDsPbaDePcS08oZbY9hLcVxuH8A5Ag3u5lIJ20jAa9_4peK4xxnODB27Vu4Sj_4lkGKn9fhc/s872/Screenshot%202023-07-19%20at%2014.26.09.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="872" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdkzJMu7yw9iEdAmdzUvXPGbV3pk7ETUSRX5pfyYkhhhgDteGaFARWFSomlBOPUs0kxqtZAxQNST7NNnOxnGhLoVroMH9-ufU4MqdmN8wCygXHwNoSGDCwDsPbaDePcS08oZbY9hLcVxuH8A5Ag3u5lIJ20jAa9_4peK4xxnODB27Vu4Sj_4lkGKn9fhc/s16000/Screenshot%202023-07-19%20at%2014.26.09.png" /></a></div><div><b><br /></b></div><ul style="text-align: left;"><li id="vt4splunk"><b>Official VirusTotal app for Splunk (VT4Splunk).</b> <a href="https://splunkbase.splunk.com/app/6654">VT4Splunk</a>, VirusTotal’s official Splunk plugin, correlates your telemetry with VirusTotal context to automate triage, expedite investigations and unearth threats dwelling undetected in your environment. This <a href="https://splunkbase.splunk.com/app/5865">extends Splunk’s own VirusTotal plugin for their SOAR</a>.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwfW-OsZTerBWp28vTdm8Es0eeLzxQMUHaeOFNH8vs8dz7_b5-fC4mgGW9EFZ6ODSPFEu-2u3LUZgYNDpYg6sxCr7CY7R2NhQH0Y99uLYwMcNkp77W6Ep8bb3hLXaFaU9_-wbS0JRNMiHHWlVfKfBR0LIA7SUWnril4qvOS-nWM0A1O-MzCsI1B-KOCk/s1600/v4splunk.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1155" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSwfW-OsZTerBWp28vTdm8Es0eeLzxQMUHaeOFNH8vs8dz7_b5-fC4mgGW9EFZ6ODSPFEu-2u3LUZgYNDpYg6sxCr7CY7R2NhQH0Y99uLYwMcNkp77W6Ep8bb3hLXaFaU9_-wbS0JRNMiHHWlVfKfBR0LIA7SUWnril4qvOS-nWM0A1O-MzCsI1B-KOCk/s16000/v4splunk.png" /></a></div><br /><div><br /></div><p></p></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-76733258324356429132022-05-23T02:15:00.000-07:002022-05-23T02:15:01.430-07:00May 23rd, 2022 - Forcing SSO/SAML sign in<p></p><h3 style="text-align: left;">What's new?<b> </b><b> </b></h3><p><b>Forcing SSO/SAML authentication for corporate VT Enterprise groups. </b>Continuing with our work on the SSO front and after <a href="https://releases.virustotal.com/2022/04/april-11th-2022-saml-authentication.html" target="_blank">rolling out SAML to support federated login from a wider range of identity providers</a>, <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a> group administrators are now able to force their users to mandatorily sign in via their identity provider, be it the default SSO set or a custom SAML configuration. Group administrators can find the pertinent settings under the "Settings" tab in their group profile view.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJMdRH8DnO7WfT1Mn6aZRyTJSBqLbd-Sbt2y7MO7dQiGFyNXF3lUdLXhJNZNbhtzY1-saHl_CxZzNXaS5hBJ8f9nm3UOcVCcxYIwLU4QFY1mK3ng7IiPuH0dzbob-VeSpstBypviqW7dOjctjRCP1ujdg8beUAnaxrGNyZcTxUJNHiIQMZDuJS9aM-/s1254/Screen%20Shot%202022-05-23%20at%2011.12.07%20AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="1254" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJMdRH8DnO7WfT1Mn6aZRyTJSBqLbd-Sbt2y7MO7dQiGFyNXF3lUdLXhJNZNbhtzY1-saHl_CxZzNXaS5hBJ8f9nm3UOcVCcxYIwLU4QFY1mK3ng7IiPuH0dzbob-VeSpstBypviqW7dOjctjRCP1ujdg8beUAnaxrGNyZcTxUJNHiIQMZDuJS9aM-/w640-h294/Screen%20Shot%202022-05-23%20at%2011.12.07%20AM.png" width="640" /></a></div><br /><p><br /></p>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-35851765656690403842022-05-16T02:13:00.001-07:002022-05-16T02:13:32.388-07:00May 16th, 2022 - VT Collections actionability, domain and IP address JARM pivoting, new Linux sandbox partner, VT MISP modules revamp<h3 style="text-align: left;"></h3><h3 style="text-align: left;">What's new?<b> </b><b> </b></h3><ul style="text-align: left;"><li><b>Action menu for VirusTotal collections. </b>VirusTotal Collections <span style="font-weight: normal;">allows
users to share collections of IoCs (hashes, domains, IP addresses and
URLs) among themselves in a more actionable and contextualized manner.
You can read more about this in the <a href="https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html" target="_blank">Introducing VirusTotal Collections</a> blog post, you can also <a href="https://blog.virustotal.com/2021/12/vt-collections-swiss-army-knife.html" target="_blank">easily create collections via command-line</a>. We have added advanced sorting, filtering, exporting and analysis controls to collections. For example, users can now run minimal curation logic (detections > 5) prior to exporting a given collection when deploying the pertinent artifacts for IoC blocking/flagging in their SIEM, firewalls, protective DNS, etc.</span></li></ul><div><span style="font-weight: normal;"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjVvuApivwfCbO5fYiDvKFp1SXrQc2h9L_r_7tRpFtPLV3jQM3FeeXAiqu_HcD77qiWo-GHvwR2h9X5E0w9vb49WE7_UMQNK-Bd3CCFlRsRdx4DI-mYJMrYFoN5gyakDt7MvX1V1lz2rsi_DqLYlX-Fe9SCHW1iDgeNON4BxAE6E9HGdix3vh7GfAD/s2494/Screen%20Shot%202022-05-16%20at%2010.00.26%20AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="716" data-original-width="2494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjVvuApivwfCbO5fYiDvKFp1SXrQc2h9L_r_7tRpFtPLV3jQM3FeeXAiqu_HcD77qiWo-GHvwR2h9X5E0w9vb49WE7_UMQNK-Bd3CCFlRsRdx4DI-mYJMrYFoN5gyakDt7MvX1V1lz2rsi_DqLYlX-Fe9SCHW1iDgeNON4BxAE6E9HGdix3vh7GfAD/s16000/Screen%20Shot%202022-05-16%20at%2010.00.26%20AM.png" /></a></div></span><b></b><b> <br /></b><ul style="text-align: left;"><li><b>JARM pivoting in IP and Domain HTTPS certificates. </b><a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a> is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We are adding support for<a href="https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a" target="_blank"> JARM</a> as a pivot property. JARM is an active Transport Layer Security (TLS) server fingerprinting tool. Among other things, it can be used to identify malware command and control infrastructure and other malicious servers on the Internet. VirusTotal sandbox detonation reports already contained JA3 digests, a passive TLS fingerprint, allowing users to find other files communicating with TLS using the same code stack, and thus often grouping together malware family variants. We are now extending such functionality to actively build a fingerprint (JARM) of Domains and IPs scanned by VirusTotal. This extends and complements our existing SSL certificate, whois lookup, DNS record, etc. pivots. The pivot can be found in Domain/IP address reports, under the "Last HTTPS Certificate" section of the "Details" tab. You can also action it by clicking on the similar icon in the top menu bar.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlSqEmI5vmMFdvCBmvJlI4YXjNEpDK2qOvdR-tiWHx5Ub3b9EfvVIcJTfm00U8jT-boigssdelL9DWQpzuJ1Q1A8hbv2FY0pPUzk3vmNnuJsbdwXxaBtZCk7N-mtJa72dBucjH0k5a0pDczSOJ39flArG5LVZiLVUSRgrmn0_cL8TgRplQ-6zZh4Pt/s1926/Screen%20Shot%202022-05-16%20at%205.57.06%20AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="438" data-original-width="1926" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlSqEmI5vmMFdvCBmvJlI4YXjNEpDK2qOvdR-tiWHx5Ub3b9EfvVIcJTfm00U8jT-boigssdelL9DWQpzuJ1Q1A8hbv2FY0pPUzk3vmNnuJsbdwXxaBtZCk7N-mtJa72dBucjH0k5a0pDczSOJ39flArG5LVZiLVUSRgrmn0_cL8TgRplQ-6zZh4Pt/s16000/Screen%20Shot%202022-05-16%20at%205.57.06%20AM.png" /></a></div><br /></div><div><ul style="text-align: left;"><li><b>New Linux partner sandbox, ELF Digest. </b>VirusTotal not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. Every executable (and other file formats) uploaded to VirusTotal gets detonated in both VirusTotal-developed and 3rd-party partner dynamic analysis environments to produce behavioral information such as domains contacted, payload download URLs, files created, registry keys set, etc. We have onboarded a new linux sandbox, <a href="https://blog.virustotal.com/2022/04/virustotal-multisandbox-elf-digest.html" target="_blank">ELF Digest,</a> as part of the multisandbox.<br /></li></ul><h3 style="text-align: left;">What's improved?<b> </b><b> </b></h3><ul style="text-align: left;"><li><b>VirusTotal MISP modules. </b><a href="https://www.misp-project.org/" target="_blank">MISP</a>, an open source threat intelligence platform,<b> </b>integrates with VirusTotal via three modules, two of which provide the essential enrichment functionality: <a href="https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py" target="_blank">virustotal</a> and <a href="https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal_public.py" target="_blank">virustotal public</a>. We have <a href="https://blog.virustotal.com/2022/04/virustotals-misp-modules-get-fresh.html" target="_blank">greatly revamped them</a> in order to take advantage of the new context and threat graph exposed via our APIv3:</li><ul><li>Threat reputation (Detections) for domains and IPs, not only files/hashes and URLs.</li><li>Clustering fingerprints such as imphash, TLSH, vhash, ssdeep, etc. allowing you to tie together similar IoCs.</li><li>Extended static analysis including whois lookups, geoip location, autonomous system information, etc.</li><li>Related artifacts via our threat graph: URLs from which a file is downloaded, files that communicate with a given domain when detonated in a sandbox, domains historically resolving to a given IP address (pDNS), etc.<br /></li></ul></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-88027559826162992342022-04-12T07:28:00.005-07:002022-04-12T07:39:39.655-07:00April 11th, 2022 - SAML authentication, major VT GRAPH revamp, ubiquitous IoC contextualization and more<h3 style="text-align: left;">What's new?<b> </b><b> </b></h3><div style="text-align: left;"><ul style="text-align: left;"><li><b>SAML Authentication. </b>Following our <a href="https://releases.virustotal.com/2022/02/february-7th-2022-sso-support-for.html" target="_blank">recent work on the SSO front</a>,
we have now widely rolled out SAML to support federated login from a wider
range of identity providers. Among others, this allows organizations to
use popular services such as Okta to sign in to VirusTotal. If you are a
<a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a> group administrator and you want to upgrade your team's account security please refer to the "Settings" tab of your VirusTotal group profile page:</li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwsACKqXNMLfbD9jP2jkfkRHTTBqV8fouYjjl22L5KCZCb0JL1ecV9-JHsLq-__FiiG1eOVj4OP2QSWpcUSzQtVoGP9QyAn7n4N4HgHrkfKPSW2gCzqMOF78MIPW5r_QY2HCTsCbqhsL90BJTG4Z3Ry9NIkNcwmrGIlheZRoALi-wcY4AQVem2nt0G/s2596/Screen%20Shot%202022-04-12%20at%2012.23.08%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1668" data-original-width="2596" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwsACKqXNMLfbD9jP2jkfkRHTTBqV8fouYjjl22L5KCZCb0JL1ecV9-JHsLq-__FiiG1eOVj4OP2QSWpcUSzQtVoGP9QyAn7n4N4HgHrkfKPSW2gCzqMOF78MIPW5r_QY2HCTsCbqhsL90BJTG4Z3Ry9NIkNcwmrGIlheZRoALi-wcY4AQVem2nt0G/s16000/Screen%20Shot%202022-04-12%20at%2012.23.08%20PM.png" /></a></div><p></p><ul style="text-align: left;"><li><b>VT GRAPH revamp. </b>VirusTotal is all about threat context. One of the pillars of context generation is IoC interlinking. We do not stop and providing threat reputation for individual IoCs, we try to build parent-child relationships between all the items in the dataset, e.g. a given file contacts a CnC domain, a URL downloads a given malicious file, etc. All these rich relationships can be explored visually in a single canvas with <a href="https://www.virustotal.com/gui/graph-overview" target="_blank">VT GRAPH</a>, one of main components of <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a>. We have rolled out a new VT GRAPH version (<a href="https://blog.virustotal.com/2022/03/meet-our-new-improved-virustotal-graph.html" target="_blank">learn more</a>) incorporating:</li><ul><ul><li> <u>Filtering engine.</u> Graphs are sometimes noisy, the new filtering wizard allows to easily and instantly (client-side) focus on nodes matching certain criteria, e.g. display only detected domains. AND/OR conditions are allowed.</li><li><u>Expansion through VT Collections.</u> Domains/IPs/URLs/files are now related to <a href="https://blog.virustotal.com/2022/03/meet-our-new-improved-virustotal-graph.html" target="_blank">VT Collections</a>, meaning that you can now pivot from a single IoC to a threat campaign/malware toolkit grouping to unearth additional IoCs that may not be directly tied to your starting point.</li><li><u>Export a graph as a VT Collection.</u> While graphs are fancy, it is difficult to action them in a corporate security stack. To ease this task we now allow you to export a graph into a VT Collection that can then be consumed via STIX and other standard formats in your SIEM/EDR/NDR/etc.<br /></li></ul></ul><li><b>Ubiquitous IoC contextualization.</b> One of VirusTotal's major use cases is automated security telemetry enrichment (false positive discarding, true positive confirmation, alert/incident prioritization and alert/incident contextualization). VirusTotal has become the backbone of many SecOps flows, as a result, most security products have <a href="https://www.paloaltonetworks.com/blog/security-operations/virustotal-welcome-xsoar-marketplace/" target="_blank">bring-your-own API key integrations to power enrichment use cases with our crowdsourced threat intelligence</a>. This said, some of these integrations might be suboptimal in terms of overlaid context. Similarly, you might be using a niche product without off-the-shelf integration or you might not have administration permissions to activate certain enrichment plugins. We have <a href="https://blog.virustotal.com/2022/03/vt4browsers-any-indicator-every-detail.html" target="_blank">revamped our VT4Browsers extension to solve this and provide superior threat context in a single pane of glass fashion across all your security products</a>. The new functionality will automatically identify IoCs contained within websites of your choice and will incorporate VirusTotal's context to power faster and more accurate response.</li><li><b>New "<i>androguard_package</i>" VT INTELLIGENCE search modifier.</b><i><b> </b></i><a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a>
is often described as the Google for malware. It allows users to search
for IoCs and access superior context to understand threats. It also
allows users to perform reverse searches, i.e. to find files, URLs,
domains and IPs matching certain criteria. For example, users can search
for documents that launch powershell when opened, for files containing
certain binary/text patterns, for domains registered by a same
registrant, for URLs containing a given CnC panel path pattern, etc.
IoCs are also tagged with certain informative labels such as CVE numbers
for vulnerabilities that they exploit, file types, etc. <i><b>We have
added a new search modifier for Android applications (APKs) that acts on the <a href="https://support.google.com/admob/answer/9972781?hl=en" target="_blank">Android Package Name</a></b></i>. Why is this useful?</li><ul><ul><li><u>Tracking malware families.</u> Attackers often leverage malware builders or simply recompile/repackage their malicious code to launch new attack instances. This leads to malware family variants exhibiting common properties, these commonalities can be used for detection and campaign monitoring purposes. <a href="https://www.virustotal.com/gui/search/androguard_package%253Acom.nervous.mercury/files" target="_blank">See example</a>. <br /></li><li><u>Brand impersonation monitoring.</u> Attackers will often create fake apps impersonating renown brands and financial services. For instance, mobile banking trojans will pose as the legit banking app in order to deceive users into installing them and eventually intercept their banking credentials to perform fraudulent transactions. The new search modifier allows you to identify apps that are impersonating your brand. <a href="https://www.virustotal.com/gui/search/androguard_package%253Acom.Google.Gmail/files" target="_blank">See example</a>. </li></ul></ul><li><b>Malicious IP address resolution call out in Domain reports. </b>VirusTotal is not only about file reputation and file context, these days we have equally rich context on domains, IP addresses and URLs. Moreover, network IoCs tend to be more actionable than hashes as malware infrastructure tends to get reused across attacks and binary-distinct malware variants. Domain reports now highlight whether the domain last resolved to a detected IP address, without having to pivot to the IP address itself. This data point complements the domain reputation itself and can shed additional light whenever the domain itself is still undetected:</li></ul><p></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh92b1LeLfvEkLVWdQ8RhNbsEBksfBstuNmzwvHnSlrqQOSqXAsAhhbP3Ql_HqTFJLm5CcnUHnYgemB8ftCxW8pCA08TNrN35JfbKbYgvkUSdwpcGS1jmags8mcEUz1YUhAOkO1MIaz8DXs56B7bKlCDiKDSznxs56y9gfZXvVLL2nUdivjPVi6TTEI/s2608/Screen%20Shot%202022-04-12%20at%204.08.45%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="912" data-original-width="2608" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh92b1LeLfvEkLVWdQ8RhNbsEBksfBstuNmzwvHnSlrqQOSqXAsAhhbP3Ql_HqTFJLm5CcnUHnYgemB8ftCxW8pCA08TNrN35JfbKbYgvkUSdwpcGS1jmags8mcEUz1YUhAOkO1MIaz8DXs56B7bKlCDiKDSznxs56y9gfZXvVLL2nUdivjPVi6TTEI/s16000/Screen%20Shot%202022-04-12%20at%204.08.45%20PM.png" /></a></div><h3 style="text-align: left;"> </h3><h3 style="text-align: left;">What's improved<b>?</b></h3><div style="text-align: left;"><ul style="text-align: left;"><li><b>Re-sending activation emails.</b> Customers access <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a> with individual user accounts tied to a given corporate group. You can create a VirusTotal user account <a href="https://www.virustotal.com/gui/join-us" target="_blank">here</a>. Upon signing up, an activation email is sent. Users that have not followed the activation link are not able to use the service. From time to time users miss this activation email or it ends up in some spam filter. If you now try to sign in with an inactive user account, you will be informed about the account state and the system will allow you to re-send the activation email.</li></ul><p style="text-align: center;"><b id="docs-internal-guid-805e55e5-7fff-973b-709c-7cf5f1350476" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: medium none; display: inline-block; height: 311px; overflow: hidden; width: 347px;"><img height="311" src="https://lh6.googleusercontent.com/GcsxXb8hSxWSjZaNCpP_b1vqW4im4XIkwIeEnGrkjmB0z0RmE8nA4jI7aRm8wllT0qCVcoGyCpIY0DSIqv1Kfxh4DrPpHLBidPkn9JlrMy_S9dlt0Sh4zpCcrPuHBw-QZzUjL9c6Mf4sssGyLMI" style="margin-left: 0px; margin-top: 0px;" width="347" /></span></span></b> </p><h3 style="text-align: left;">What's changed<b>?</b></h3><ul style="text-align: left;"><li><b>Dynamic analysis Sysmon logs exported in XML format instead of binary.</b> <a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a> is sometimes described as both a telescope for the threat landscape and a microscope for individual IoCs. Dynamic analysis of files submitted to VirusTotal (sandbox detonation) is one of the microscope-like capabilities. Moreover, VirusTotal aggregates multiple 3rd-party and home-grown sandboxes in order to improve visibility into threats, making cloaking more complex (different OS, different language packages, different software, distinct execution tracing techniques, etc.). VirusTotal's own home-grown sandboxes produce <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon" target="_blank">Sysmon</a> execution logs that can be downloaded from VT INTELLIGENCE, alongside the network trace (PCAP), memory dump, detailed execution trace, etc. Sysmon traces were being exported in their raw binary format, we have changed this to XML, this results in two major improvements:</li><ul><ul><li>Event data is streamed out of the sandbox machines in real time, this prevents missing data due to unfinished analyses or crashes.</li><li>Better noise filtering as events can be automatically discarded in the sandbox itself.<br /></li></ul></ul></ul><p style="text-align: left;"></p></div></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-20257649942627909862022-03-08T04:48:00.003-08:002022-04-12T03:11:29.837-07:00March 7th, 2022 - YARA dotnet module in VT Hunting, new VT Intelligence search tags and SAML preview<h3 style="text-align: left;">What's new?<b> </b></h3><ul style="text-align: left;"><li><b>YARA dotnet module available for Livehunt and Retrohunt. </b><a href="https://www.virustotal.com/gui/hunting-overview" target="_blank">VT Hunting</a> Livehunt allows <a href="https://www.virustotal.com/go/vt360" target="_blank">VT Enterprise</a> users to write <a href="http://virustotal.github.io/yara/" target="_blank">YARA rules</a>
that are matched against the incoming live stream of files uploaded to
VirusTotal. It has become a de-facto standard to monitor threat
campaigns and malware toolkits, as well as to track threat actors going
forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called Retrohunt. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. VT Hunting Livehunt already supports the <a href="https://yara.readthedocs.io/en/stable/modules/pe.html" target="_blank">pe</a>, <a href="https://yara.readthedocs.io/en/stable/modules/elf.html" target="_blank">elf</a>, <a href="https://yara.readthedocs.io/en/v4.1.3/modules/math.html" target="_blank">math</a>, <a href="https://yara.readthedocs.io/en/v3.4.0/modules/magic.html" target="_blank">magic</a>, <a href="https://yara.readthedocs.io/en/v4.1.3/modules/hash.html" target="_blank">hash</a>, and <a href="https://yara.readthedocs.io/en/v4.1.3/modules/cuckoo.html" target="_blank">cuckoo</a> YARA modules. <i><b>We are rolling out support for the <a href="https://yara.readthedocs.io/en/v4.1.3/modules/dotnet.html" target="_blank">dotnet module</a>, both in Livehunt and Retrohunt. </b></i>The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. </li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEite13LmZ2ROPNBpn0FOj0_sPBIuS4b5JNUOBUycgQdQtfFJj4CiyuwTMBAKZZ0Cajlu3pVPjl9XHWQ_Hpyop2s3fd3Q2ySdLHsp3KWUqXC1gtn_2ajFFS9hF9HYA_CIuWADB3H4ybCF8m_mxPRCqVYaa9vHVxhaT3JaJ6Wq5fNm9ZsV8Tpupn1IHVn=s2070" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="988" data-original-width="2070" height="846" src="https://blogger.googleusercontent.com/img/a/AVvXsEite13LmZ2ROPNBpn0FOj0_sPBIuS4b5JNUOBUycgQdQtfFJj4CiyuwTMBAKZZ0Cajlu3pVPjl9XHWQ_Hpyop2s3fd3Q2ySdLHsp3KWUqXC1gtn_2ajFFS9hF9HYA_CIuWADB3H4ybCF8m_mxPRCqVYaa9vHVxhaT3JaJ6Wq5fNm9ZsV8Tpupn1IHVn=w1772-h846" width="1772" /></a></div><p></p><ul style="text-align: left;"><li><b>New "<i>spreader</i>" tag for files in VT INTELLIGENCE. </b><a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT Intelligence</a> is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. <i><b>We have added a new tag (spreader) that describes malware families which are polymorphic in nature and once executed may produce new instances of the same variant</b></i>. You can test it with the following search: <a href="https://www.virustotal.com/gui/search/tag%253Aspreader" target="_blank">tag:spreader</a>.</li><li><b>New "first_submitter" VT INTELLIGENCE search modifier.</b> As described above, <a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT Intelligence</a> allows you to perform reverse searches over VirusTotal's IoC corpus. Those reverse searches can match {behavioural/execution, static, binary, metadata, relationship, etc.} properties. The criteria can even act on upload/submission information. For example, users were already able to leverage the <i><a href="https://twitter.com/tbarabosch/status/1500775590210723842" target="_blank">submitter</a> </i>modifier to search for files uploaded from a given country or through a given interface (api, web, email). In the event of multiple submissions, this modifier acted on any of the submission countries/interfaces. We have added a new modifier to narrow down searches based on the first submitter country/interface, example: <a href="https://www.virustotal.com/gui/search/first_submitter%253Aes%2520first_submitter%253Aweb/files" target="_blank">first_submitter:ES AND first_submitter:web</a>.</li></ul><h3 style="text-align: left;">What's in preview?<b> </b></h3><div style="text-align: left;"><ul style="text-align: left;"><li><b>SAML Authentication. </b>Following our <a href="https://releases.virustotal.com/2022/02/february-7th-2022-sso-support-for.html" target="_blank">recent work on the SSO front</a>, we are starting to test SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a> customer and you want to upgrade your team's account security testing our preview SAML functionality please <a href="https://www.virustotal.com/gui/contact-us/technical-support" target="_blank">don't hesitate to contact us</a>.<br /></li></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-41962471070800819182022-02-14T07:09:00.002-08:002022-02-14T07:09:24.320-08:00February 14th, 2022 - MISP + VirusTotal, Livehunt improvements and notifications on missing hashes<h3 style="text-align: left;">What's new?<b> </b></h3><ul style="text-align: left;"><li><b>MISP and VT Collections integration. </b><a href="https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html" target="_blank">VT Collections</a>
allows users to easily share with each other listings of threat
campaign, threat actor or malware tookit IoCs. MISP users can now create
a VT Collection based on a MISP event with a single click. Similarly,
VirusTotal users can now export VT Collections as STIX to import them
into their security stack, including their own MISP instance. <a href="https://blog.virustotal.com/2022/02/misp-and-vt-collections.html" target="_blank">Read more</a>. </li><li><b>Ruleset owner in Livehunt.</b> <a href="https://www.virustotal.com/gui/hunting-overview" target="_blank">VT Hunting</a> Livehunt allows <a href="https://www.virustotal.com/go/vt360" target="_blank">VT Enterprise</a> users to write <a href="http://virustotal.github.io/yara/" target="_blank">YARA rules</a>
that are matched against the incoming live stream of files uploaded to
VirusTotal. It has become a de-facto standard to monitor threat
campaigns and malware toolkits, as well as to track threat actors going
forward. In VT Hunting, YARA rules can be shared with other users, which
effectively allows them to share feeds of IoC matches. <a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank">Livehunt ruleset listing summaries</a>
now display the owner of the ruleset whenever that owner is not you,
this allows you to identify at a glance rulesets shared with you.</li></ul><p style="text-align: center;"> <b id="docs-internal-guid-14af961f-7fff-0476-4fbd-5f50de1c3182" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: medium none; display: inline-block; height: 187px; overflow: hidden; width: 624px;"><img height="187" src="https://lh5.googleusercontent.com/mplaNBpqMb1XE1U0OOqR-jpuO90tWFbNgS0SFSjLnazeDhc_7Y38pjuOLyXKQgoaxGeOeaSxLClWIx88FzKNNo52ceXkJEBiB0JHYkaZJ97l_E2W1I_VVwZKoEuffrI1Zb30YKWhpA" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></b></p><ul style="text-align: left;"><li><b>Notifications on missing hashes. </b>VirusTotal allows you to search for file analysis reports using the file's <a href="https://www.virustotal.com/gui/home/search" target="_blank">MD5, SHA1 or SHA256 hash</a>.
When searching for a file that is not yet in the corpus you can now
easily create a YARA rule to get automatically notified if VirusTotal
ever receives it. A single click of a button is all that is needed.</li></ul><p style="text-align: center;"><b id="docs-internal-guid-4f2f11a3-7fff-4639-ff7b-1419a7120a1a" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="border: medium none; display: inline-block; height: 172px; overflow: hidden; width: 624px;"><img height="172" src="https://lh5.googleusercontent.com/9ZQ2Id2u2E4RsJu1p0cRd9bstAD7hblOaiuuj5RHoSbBhWrEVpAABrNscRHojDi9E9KkpuTubbfD8CDUG4FSSqA_G6jlvYxUSyxC9PPOwijpcce7U3gMccFvCDb6bmHEd6VFl9WHBw" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></b> <br /></p>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-496923137700177322022-02-07T03:07:00.002-08:002022-02-07T03:07:54.581-08:00February 7th, 2022 - SSO support for Microsoft<h2 style="text-align: left;">What's new?<b> </b></h2><ul style="text-align: left;"><li><b>SSO authentication support for Microsoft. </b>Last November <a href="https://releases.virustotal.com/2021/11/november-29th-2021-sso-extended.html" target="_blank">we announced SSO support in VirusTotal</a>. We have now extended the original set of supported identity providers (Google, Twitter and GitHub) with Microsoft. Microsoft customers can now <a href="https://www.virustotal.com/gui/sign-in" target="_blank">sign in</a> or <a href="https://www.virustotal.com/gui/join-us" target="_blank">sign up</a> to VirusTotal with a single click. As a reminder, the SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Microsoft powered identity you may still use SSO as a more convenient and secure way to log in to VirusTotal.</li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh0O8uMPRmum4F_S761QBj37gb4tpKh3R9z7pr0RaKn6GLSJiS7GAwnPGTPQpC14XTN9_9fucESuyTYxV_NUjDLRzYf5-s4rbdDxPEsDuWy1RzbC6dGFuNJtulTuCcGFpCMTuajY1kIh2-UHBRd95r-F7CyUfY44rKOOJOljx2E-_MfJY55VcNc7mZy=s646" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="646" height="273" src="https://blogger.googleusercontent.com/img/a/AVvXsEh0O8uMPRmum4F_S761QBj37gb4tpKh3R9z7pr0RaKn6GLSJiS7GAwnPGTPQpC14XTN9_9fucESuyTYxV_NUjDLRzYf5-s4rbdDxPEsDuWy1RzbC6dGFuNJtulTuCcGFpCMTuajY1kIh2-UHBRd95r-F7CyUfY44rKOOJOljx2E-_MfJY55VcNc7mZy=s320" width="320" /></a></div><h3 style="text-align: left;">What's fixed?</h3><ul style="text-align: left;"><li><b>Creation date pivots. </b><a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a> allows users to pivot on any file, domain, IP address or URL analysis attribute, meaning that they can search over VirusTotal's historical corpus for other IoCs that share the same property. One of the analysis attributes available for pivoting is the file "creation date". This property means different things for different file types. For a Portable Executable file it is the PE compilation timestamp, for a PDF it is the generation date metadata field, same for Office documents. It is a field that can be tampered with, but very often certain malware builder kits will not change it, thus, it may be used for clustering purposes. Similarly, it can be used to try to understand attack timelines. There was a bug whereby the single-click pivot for the field in file reports was adding a trailing "UTC" to the search string, which is not supported and not needed, <a href="https://www.virustotal.com/gui/search/generated%253A%25222008-04-19T16%253A51%253A58%2522/files" target="_blank">this has now been fixed</a>. You can create on the "Creation Time" property of <a href="https://www.virustotal.com/gui/file/946adb4721a1115e78b31eb2b52f4fb6527cd76dd4637b682ea61dbb6db121dc/details" target="_blank">this file</a> in order to test it.<br /></li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjU_kbs1D1hzqbsTl1lqw9V52GNLGxx11KDf-V6dXiBHmOpIrL0Zjng34W3kLop7O3sjMVKepdXf0tiBfasyniEC48bmpn2hGUqER9LmraAWgvIkQ-nFLCExDNhqNqETeBJ77akhcXzblZ88bjjnsWf6LxsbkrYwHun7S_NHXdQSAGB-NIBpTeHbK8v=s644" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="644" height="352" src="https://blogger.googleusercontent.com/img/a/AVvXsEjU_kbs1D1hzqbsTl1lqw9V52GNLGxx11KDf-V6dXiBHmOpIrL0Zjng34W3kLop7O3sjMVKepdXf0tiBfasyniEC48bmpn2hGUqER9LmraAWgvIkQ-nFLCExDNhqNqETeBJ77akhcXzblZ88bjjnsWf6LxsbkrYwHun7S_NHXdQSAGB-NIBpTeHbK8v=w640-h352" width="640" /></a></div><br /> <p></p><p></p><p> </p><p> </p>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-91421450207909813252022-02-01T04:24:00.001-08:002022-02-01T06:38:07.994-08:00January 31st, 2022 - Enterprise controls, URL tags and new detection and contextualization sources<div><h3 style="text-align: left;">What's new?<b> </b></h3><ul style="text-align: left;"><li><b>Extended editor controls for Livehunt rules. </b><a href="https://www.virustotal.com/gui/hunting-overview" target="_blank">VT Hunting</a> Livehunt allows <a href="https://www.virustotal.com/go/vt360" target="_blank">VT Enterprise</a> users to write <a href="http://virustotal.github.io/yara/" target="_blank">YARA rules</a> that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. We have improved the editor controls for rule sets, editors share similar powers to that of rule set owners:</li><ul><li>Add/remove other editors.</li><li>Enable/change the rule set notification email.</li><li>Modify the rule set daily notification limit. </li><li>Modify the rule set name.</li></ul><li><b>Pending VT Enterprise group invitations.</b> <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT Enterprise</a> access is group-based. Organizations license the service and access it through a VT Enterprise group which can hold as many corporate users as they want. Group administrators can invite users from their organization in their VT Enterprise group profile page. Users being invited do not need to have a pre-existing <a href="https://www.virustotal.com/gui/join-us" target="_blank">VirusTotal account</a>, when they do not hold an account they receive an email to join VirusTotal and once joined they get automatically added to the pertinent corporate group. This process used to lack feedback. Pending invitations are now listed in the group profile users tab and can be revoked if they become stale. </li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiPEFxCrgJ4XKaetrbFi42F7ZuNO4vbfp8nML1Qwi6l62ksTT3TNzpmmGfxXYk-UdHetDMXEwh_Cblg4OGVWksgNHxGa0It_yE_LWP5B61IcPM9zajbh1_8aIBlzn55_ZEuhKtRzTT45S9jOVqgwMuipwuDDh5cA_kzIMXl0Tw5QCH6_FJiSTZOJ4FF=s2172" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="726" data-original-width="2172" height="214" src="https://blogger.googleusercontent.com/img/a/AVvXsEiPEFxCrgJ4XKaetrbFi42F7ZuNO4vbfp8nML1Qwi6l62ksTT3TNzpmmGfxXYk-UdHetDMXEwh_Cblg4OGVWksgNHxGa0It_yE_LWP5B61IcPM9zajbh1_8aIBlzn55_ZEuhKtRzTT45S9jOVqgwMuipwuDDh5cA_kzIMXl0Tw5QCH6_FJiSTZOJ4FF=w640-h214" width="640" /></a></div><ul style="text-align: left;"><li><b>New URL scanning partners. </b>VirusTotal not only analyzes and contextualizes files, but also domains, IP addresses and URLs. We have added 3 new partners providing verdicts on whether a given URL is malicious or not: <a href="https://tracker.viriback.com/" target="_blank">ViriBack C2</a>, <a href="https://chongluadao.vn/" target="_blank">Chong Lua Dao</a> and <a href="https://www.acronis.com" target="_blank">Acronis</a>. </li><li><b>New URL corpus search tags. </b><a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a> allows users to search through VirusTotal's historical corpus of files, URLs, domains and IPs. Users can perform <a href="https://support.virustotal.com/hc/en-us/articles/360001385897-VT-Intelligence-search-modifiers" target="_blank">reverse searches</a>, i.e. identify IoCs that exhibit certain properties, network communications, contents, submission metadata, etc. For convenience, some of those properties are condensed into tags. The tags ontology for URLs has been extended and now supports two new tags:</li><ul><li><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520tag%253Amultiple-redirects/urls" target="_blank">multiple-redirects:</a> when visiting the pertinent URL there is a redirect chain with multiple hops.<br /></li><li><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520tag%253Ans-port/urls" target="_blank">ns-port:</a> non-standard port. The web server for this URL is listening on a non-standard port (i.e. not 80/443).<br /></li></ul></ul><h3 style="text-align: left;">What's improved?<b> <br /></b></h3><ul style="text-align: left;"><li><b>New crowdsourced YARA rule sources for detection and contextualization.</b> At VirusTotal we build towards something that we call "multi-angular detection". One of our goals is to aggregate as many orthogonal detection engines/mechanisms as possible so as to implement a multi-layered defense-in-depth approach at the IoC detection level. If a malware is undetected by the antivirus industry, it might still be flagged with our crowdsourced intrusion detection system rules, SIGMA rules, etc. VirusTotal file reports also get enriched with detections coming from <a href="https://support.virustotal.com/hc/en-us/articles/360015658497-Crowdsourced-YARA-Rules" target="_blank">YARA rules crowdsourced from the security community</a>. We have added 4 new sources, they do not only provide extended detection capabilities but also very handy context whenever antivirus generic detections, heuristics or machine learning kicks in.</li><ul><li><a href="https://www.github.com/securitymagic/yara">github.com/securitymagic/yara</a></li><li><a href="https://www.github.com/lubiedo/threatintel">github.com/lubiedo/threatintel</a></li><li><a href="https://www.github.com/InQuest/yara-rules-vt">github.com/InQuest/yara-rules-vt</a></li><li><a href="https://www.github.com/eset/malware-ioc">github.com/eset/malware-ioc</a></li></ul></ul></div><p></p><h3 style="text-align: left;">What has changed?</h3><div><ul style="text-align: left;"><li><b>FireEye file scanning engine renamed to Trellix.</b> Following the <a href="https://www.darkreading.com/threat-intelligence/fireeye-mcafee-enterprise-renamed-as-trellix" target="_blank">merger of security firms McAfee Enterprise and FireEye</a>, the FireEye engine has been renamed to Trellix, which is the name given to the new company. You might want to update any <a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT INTELLIGENCE</a> queries that leveraged the "fireeye" search modifier or <a href="https://developers.virustotal.com/reference/overview" target="_blank">VT API</a> scripts that accessed the corresponding detection structure key.<br /></li></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-72225632049951825582022-01-25T06:56:00.001-08:002022-02-07T01:34:05.460-08:00January 24th, 2022 - More intelligible API quotas, onboarding handholding and VTDIFF fix<div><h3 style="text-align: left;">What's new?<b> </b></h3><ul style="text-align: left;"><li><b>More intelligible API limits view. </b>VirusTotal API keys are <a href="https://developers.virustotal.com/reference/public-vs-premium-api" target="_blank">governed by a set of privileges and consumption quotas</a>. Consumption quotas dictate how many lookups a given user can perform in a given time frame. There are three different types of quotas that can apply to API keys: per minute, per day and per month. If you consume your per minute allowance, you will be unable to retrieve any further information from the API until the next minute. The same goes for the daily limit and monthly limits. In other words, the most limiting quota is enforced. This often led users to misunderstandings. We have revamped the <a href="https://www.virustotal.com/gui/my-apikey" target="_blank">user API key</a> and the premium group API key views in an effort to make things more understandable, similarly, we have introduced shortcuts to common tools and documentation for the API: </li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgw8HGEw7Tozd-AYDhvly-mFLTK7mnsOa8bjRYNidfZsUCpU__1SaKAfpj_5O_QwPuXVeCjMDJfOH679S34Hd-nT1LoTFN_wy_ZOKKwc0-fKVnTcdKvJvhYGF9r4D0hVuLsFa0oev4AcuNvgRGgDhY8gzWh7cpGtyELxy3-WXAH9ONGK2OpUc-ryhyK=s2580" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="978" data-original-width="2580" height="243" src="https://blogger.googleusercontent.com/img/a/AVvXsEgw8HGEw7Tozd-AYDhvly-mFLTK7mnsOa8bjRYNidfZsUCpU__1SaKAfpj_5O_QwPuXVeCjMDJfOH679S34Hd-nT1LoTFN_wy_ZOKKwc0-fKVnTcdKvJvhYGF9r4D0hVuLsFa0oev4AcuNvgRGgDhY8gzWh7cpGtyELxy3-WXAH9ONGK2OpUc-ryhyK=w640-h243" width="640" /></a></div><p></p><ul style="text-align: left;"><li><b>Onboarding handholding. </b>At VirusTotal we are committed to making our users successful. We want you to become power users and we want to make sure our platform aligns to your goals. New users added to <a href="https://www.virustotal.com/gui/services-overview" target="_blank">VT ENTERPRISE</a> groups are now receiving some onboarding tips and materials. For now these mostly point to our golden use cases outlined in our <a href="https://www.virustotal.com/getstarted/" target="_blank">Getting Started guide</a>. </li></ul></div><h3 style="text-align: left;">What's fixed?<b> <br /></b></h3><ul style="text-align: left;"><li> <b>Session not found bug in VTDIFF.</b> <a href="https://support.virustotal.com/hc/en-us/articles/360010904818-VTDIFF-Automatic-YARA-rules" target="_blank">VTDIFF</a> is a <a href="https://www.virustotal.com/gui/hunting-overview" target="_blank">VT HUNTING</a> component that allows users to automatically identify optimal binary patterns to detect a group of files and build <a href="https://virustotal.github.io/yara/" target="_blank">YARA rules</a> with these. Recent improvements had introduced a transient bug whereby a "Not found" view was being displayed upon launching a new VTDIFF job. This has now been fixed and you should no longer see this random behaviour. <br /></li></ul>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-36225937480565606902022-01-18T03:50:00.001-08:002022-01-18T04:42:08.013-08:00January 17th, 2022 - Palo Alto Cortex XSOAR marketplace and new VirusTotal Collections sources<div><h3 style="text-align: left;">What's new?<b> </b></h3><ul style="text-align: left;"><li><b>Premium VT API packs in the Palo Alto Cortex XSOAR marketplace.</b> <span style="font-weight: normal;">We have published 4 <a href="https://xsoar.pan.dev/marketplace?q=virustotal" target="_blank">new premium VT API packs in the Palo Alto Cortex XSOAR marketplace</a>. XSOAR (formerly Demisto), is a Security Orchestration Automation and Response platform that allows companies to collect threat-related data from a range of sources (SIEM, Firewall, IDS, etc.) and automate the responses to the threat. Palo Alto Networks customers can now spend their credits towards the VirusTotal integration to contextualize incidents with superior crowdsourced visibility and perform more effective triage through multi-angular detection (sandboxing, YARA analysis, SIGMA behavioural flags, antivirus scanning, etc.).</span></li><ul><li><span style="font-weight: normal;"><a href="https://xsoar.pan.dev/marketplace/details/virustotalTriage" target="_blank">VirusTotal XSOAR Triage</a> - 100M lookups / month in the VT API.</span></li><li><span style="font-weight: normal;"><a href="https://xsoar.pan.dev/marketplace/details/virustotalEnrich" target="_blank">VirusTotal XSOAR Enrich</a> - 1M lookups / month in the VT API. </span></li><li><span style="font-weight: normal;"><a href="https://xsoar.pan.dev/marketplace/details/virustotalRespond" target="_blank">VirusTotal XSOAR Respond</a> - 150K lookups / month in the VT API.</span></li><li><span style="font-weight: normal;"><a href="https://xsoar.pan.dev/marketplace/details/virustotalStarter" target="_blank">VirusTotal XSOAR Starter</a> - 5K lookups / month in the VT API.</span></li><li><span style="font-weight: normal;">Note that both Palo Alto Networks customers and any other user can still <a href="https://www.virustotal.com/gui/contact-us/premium-services" target="_blank">provision custom premium API keys from VirusTotal</a> and operate XSOAR with these. </span></li></ul></ul></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjfBNSOQCCIS4fqxoqaJQHhCsU1UhWC9DGtlFJFNvH7qD_3AVWJhwNTH1oi_tOzVXwK36RGYfqdT1JsCa2G189uTC2TNhvLhlEPJNtDt8CI1YaKzpnRqhgQS7TTaW3cJDERqfrNaPNK1AZFKA5ToGDAXPKLDR3dXRrDwZc8Ye5AMm9dIsSnelrd7jaq=s4322" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1246" data-original-width="4322" src="https://blogger.googleusercontent.com/img/a/AVvXsEjfBNSOQCCIS4fqxoqaJQHhCsU1UhWC9DGtlFJFNvH7qD_3AVWJhwNTH1oi_tOzVXwK36RGYfqdT1JsCa2G189uTC2TNhvLhlEPJNtDt8CI1YaKzpnRqhgQS7TTaW3cJDERqfrNaPNK1AZFKA5ToGDAXPKLDR3dXRrDwZc8Ye5AMm9dIsSnelrd7jaq=s16000" /></a></div><br /><span style="font-weight: normal;"><br /></span><div><ul style="text-align: left;"><li><span style="font-weight: normal;"><b>Vir.IT file scanner. </b>Since our last release notes update we have added a new malware scanning engine to VirusTotal: Vir.IT eXplorer PRO. You can read more about this inclusion in the <a href="https://blog.virustotal.com/2021/12/virustotal-virit.html" target="_blank">welcome post</a>. Similarly, you can see it in action detecting a file in this <a href="https://www.virustotal.com/gui/file/6b0eea1a3b5e8c0419034b01f22d6bc3e9e25774d5a829116cb524ecfa6b642e" target="_blank">VirusTotal report</a>. <b> <br /></b></span></li><li><span style="font-weight: normal;"><b>VirusTotal Collections. </b>Since our last release notes we have also launched some major functionality to allow users to share collections of IoCs (hashes, domains, IP addresses and URLs) among themselves in a more actionable and contextualized manner. You can read more about this in the <a href="https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html" target="_blank">Introducing VirusTotal Collections</a> blog post, you can also <a href="https://blog.virustotal.com/2021/12/vt-collections-swiss-army-knife.html" target="_blank">easily create collections via command-line</a>. </span></li></ul></div><div style="text-align: left;"><span style="font-weight: normal;"></span><h3 style="text-align: left;">What's improved?<b> <br /></b></h3></div><div style="text-align: left;"><ul style="text-align: left;"><li><b>New VirusTotal collections sources for additional contextualization.</b> The aforementioned VirusTotal Collections functionality is not only driven by user contributions, VirusTotal is also crowdsourcing relevant threat information sources such as AlienVault OTX, Malpedia or Abuse.ch. In this development iteration we have added two new sourced:</li><ul><li><a href="https://www.virustotal.com/gui/user/sicehice/collections" target="_blank">Sicehice</a> - Sicehice fingerprints common attacker infrastructure and aggregates data from a number of sources in a way that is more easily searchable.</li><li><a href="https://www.virustotal.com/gui/user/dschwarz/collections" target="_blank">Zeusmuseum</a> - The Zeus banking malware has been a fixture within the cybercrime landscape since 2006. With the release of its source code in 2011, Zeus has splintered into many different malware families. The goal of the zeusmuseum. is to find, categorize, and lightly document every version of these Zeus-derived families. <br /></li></ul></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-71060255998859429662021-11-29T06:29:00.004-08:002021-11-29T06:29:53.024-08:00November 29th, 2021 - SSO, Extended crowdsourced YARA detection and new relations<h3 style="text-align: left;">What's new?<b> </b></h3><div style="text-align: left;"><ul style="text-align: left;"><li><b>SSO Authentication.</b> <span style="font-weight: normal;">Users</span> <span style="font-weight: normal;">can now <a href="https://www.virustotal.com/gui/sign-in" target="_blank">sign in</a> or <a href="https://www.virustotal.com/gui/join-us" target="_blank">sign up</a> to VirusTotal via single sign-on.</span> <span style="font-weight: normal;">3 </span>identity providers have been added: Google, Twitter and GitHub. Microsoft will soon follow, SAML soon thereafter. The new SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Gmail account, for example, you may still use SSO as a more convenient way to log in to VirusTotal. </li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgn89EqIc4Gml82vOJHoTLWqVKdDaDtr__8oUYhyJaVhUDrzubXJcxRZKLqhl7CCnRg67tgIs-4Hfg3kEyCXVtJL58Qe9lHuKXtdo5zfUU8lMrdtJAAhUyiW5sv8ckViIchnphV0K3AJpX8AEqf0YArNOWdAVQgvR_SVvIJKgGk_UpWajZqFJ-wB8pu=s626" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="472" data-original-width="626" height="241" src="https://blogger.googleusercontent.com/img/a/AVvXsEgn89EqIc4Gml82vOJHoTLWqVKdDaDtr__8oUYhyJaVhUDrzubXJcxRZKLqhl7CCnRg67tgIs-4Hfg3kEyCXVtJL58Qe9lHuKXtdo5zfUU8lMrdtJAAhUyiW5sv8ckViIchnphV0K3AJpX8AEqf0YArNOWdAVQgvR_SVvIJKgGk_UpWajZqFJ-wB8pu=s320" width="320" /></a></div><p></p><ul style="text-align: left;"><li><div style="text-align: left;"><b>Extended crowdsourced YARA detection. </b>3 new community repositories have been added to our <a href="https://support.virustotal.com/hc/en-us/articles/360015658497-Crowdsourced-YARA-Rules" target="_blank">crowdsourced YARA detection</a>
setup. This complements antivirus engines, sandbox dynamic analysis,
SIGMA rules, etc. to provide multi-angular characterization of files
through orthogonal detection mechanisms. These are the newly added
repositories:</div></li><ul><li><a href="http://github.com/ditekshen/detection">github.com/ditekshen/detection</a></li><li><a href="http://github.com/fboldewin/YARA-rules">github.com/fboldewin/YARA-rules</a></li><li><a href="github.com/stratosphereips/yara-rules ">github.com/stratosphereips/yara-rules</a></li></ul></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjoehevijTVAGkXMAydbAR35QZ7UHKJ1QPNHDR2wl7PoHn5R1VjJZvDj2zVg8q4uodID1uMF-AO2AhdK-2iDOPpHQcWhCOPmLUaqJAzO6WZoMkWEKpUOabazPGIoU9bPDAtyq0qfkCOgm7MeVCPv6VSz9Uuyku9nyUdWFvXMhkAWFNPBpts39qQeEAm=s1462" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="386" data-original-width="1462" height="168" src="https://blogger.googleusercontent.com/img/a/AVvXsEjoehevijTVAGkXMAydbAR35QZ7UHKJ1QPNHDR2wl7PoHn5R1VjJZvDj2zVg8q4uodID1uMF-AO2AhdK-2iDOPpHQcWhCOPmLUaqJAzO6WZoMkWEKpUOabazPGIoU9bPDAtyq0qfkCOgm7MeVCPv6VSz9Uuyku9nyUdWFvXMhkAWFNPBpts39qQeEAm=w640-h168" width="640" /></a></div><ul style="text-align: left;"><li><b>New IoC relationship: URLs sharing the same tracker ID. </b>VirusTotal interlinks all the observables (files, hashes, URLs, domains IPs) in its dataset in order to provide advanced context on threats. We allowe <a href="https://www.virustotal.com/gui/intelligence-overview">VT INTELLIGENCE</a> users to <a href="https://blog.virustotal.com/2021/11/uncovering-brandjacking-with-virustotal.html" target="_blank">pivot over the corpus based on web trackers (Google Ads IDs, Facebook IDs, etc.)</a>. Now we are making contextualization easier by incorporating the pivot as a full-fledged relationship that <a href="https://www.virustotal.com/gui/url/4b3b5a4e3d96e05a26089b8bf58bc268eddaf1c83d01755bd3229d6bcce7e105/relations">directly shows up in the Relations tab of URL reports</a> and can be easily explored with <a href="https://www.virustotal.com/gui/graph-overview">VT GRAPH</a>.</li></ul><h3 style="text-align: left;">What has changed?</h3></div><div style="text-align: left;"><ul style="text-align: left;"><li><b>Numeric identifiers for crowdsourced YARA rulesets.</b> Numeric identifiers for existing <a href="https://support.virustotal.com/hc/en-us/articles/360015658497-Crowdsourced-YARA-Rules" target="_blank">Crowdsourced YARA rulesets</a> have changed. This means that searches like <a href="https://www.virustotal.com/gui/search/crowdsourced_yara_rule%253A002735f19d%257CPyInstaller" target="_blank">crowdsourced_yara_rule:002735f19d|PyInstaller</a> may return 0 results if <i>002735f19d</i> is an old identifier. All links in our UI already have the new identifiers, so this should affect only those users that stored the identifiers on their side and may be using them to run periodic searches.<br /></li></ul></div>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.comtag:blogger.com,1999:blog-746498462312341605.post-75025530041961959952019-07-05T02:13:00.002-07:002020-02-27T07:54:32.760-08:00June 2019 - Retrohunt over goodware corpus, APIv3 file feed and more<h3>
What's new? </h3>
<ul>
<li><b>Retrohunt users can now run their rules against a goodware corpus for rule QA testing</b>. <a href="https://www.virustotal.com/gui/hunting-overview" target="_blank">VT Hunting</a> allows users to run <a href="http://virustotal.github.io/yara/" target="_blank">Yara rules</a> back in time against VirusTotal submissions. When writing Yara rules it is often difficult to test the quality of the rules and make sure that they do not produce too many false positives and hence too much noise. VT Hunting's Retrohunt now allows you to run Yara rules against a corpus of goodware, in order to make sure that the rules that you craft do not trigger false positives. Users can now test their rules prior to running a fully fledged retrohunt and/or prior to deploying them in VT Hunting Livehunt.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-XGjR9S0iAqo/XR5iN8Gg12I/AAAAAAAAKB0/HfyL_Qx4LAUmJIbCKSqEe2J9bVmapYKhACLcBGAs/s1600/corpus.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="403" data-original-width="452" height="570" src="https://1.bp.blogspot.com/-XGjR9S0iAqo/XR5iN8Gg12I/AAAAAAAAKB0/HfyL_Qx4LAUmJIbCKSqEe2J9bVmapYKhACLcBGAs/s640/corpus.png" width="640" /></a></div>
<ul>
<li><b>File feed implementation in APIv3</b>. <a href="https://developers.virustotal.com/v3.0/reference" target="_blank">APIv3</a> has not yet been officially announced, however, it has already been stable for nearly two years and many users have already started to adopt it. APIv3 was missing the file and URL feed, i.e. the stream of reports for every single file or URL processed by VirusTotal live. The file feed endpoint has now been implemented in APIv3 and is documented at: <a href="https://developers.virustotal.com/v3.0/reference#get-feed-batch" target="_blank">https://developers.virustotal.com/v3.0/reference#get-feed-batch</a>.</li>
</ul>
<h3>
What's improved?</h3>
<ul>
<li><b>One-click away pivoting within file details, file behavior and file-submission report tabs</b>. Many users overlook the fact that <a href="https://www.virustotal.com/gui/intelligence-overview" target="_blank">VT Intelligence</a> indexes most of the metadata that VirusTotal generates for the files that it processes, this includes all of the data produced by tools that run on the binaries, e.g. file signature details. When passing the mouse over items in the file details, <a href="https://blog.virustotal.com/search/label/multisandbox" target="_blank">file behavior</a> and file submission tabs they will now turn blue (link style) in the event that the particular field you are looking at is searchable with VT Intelligence. Upon clicking those elements you will trigger the pertinent search for other files sharing the same property.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-f5VwrVpPjCg/XR5i7JyfA0I/AAAAAAAAKB8/3U5_ve3guIIBzhLTFzAVmnWtnsp9_CVZwCLcBGAs/s1600/pivoting.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="683" height="320" src="https://1.bp.blogspot.com/-f5VwrVpPjCg/XR5i7JyfA0I/AAAAAAAAKB8/3U5_ve3guIIBzhLTFzAVmnWtnsp9_CVZwCLcBGAs/s640/pivoting.png" width="640" /></a></div>
<ul>
<li><b>Preview of resolutions for subdomains in domain reports</b>. One of the relationships highlighted in <a href="https://www.virustotal.com/gui/domain/drive.google.com/relations" target="_blank">domain reports</a> is the subdomains of the pertinent domain name. Up until now this was a plain list that would link to the pertinent report on the specific subdomain under consideration. This list now displays a preview of the resolutions for the particular subdomain, the full list is displayed upon following the link to the subdomain report. </li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-UtZQ_RipioE/XR5jW_bQcBI/AAAAAAAAKCI/UGxgcYelx3AglGpiF-TqwKb3Wy7AQ458wCLcBGAs/s1600/subdomains.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="579" data-original-width="635" height="577" src="https://1.bp.blogspot.com/-UtZQ_RipioE/XR5jW_bQcBI/AAAAAAAAKCI/UGxgcYelx3AglGpiF-TqwKb3Wy7AQ458wCLcBGAs/s640/subdomains.png" width="640" /></a></div>
<ul>
<li><b>Flatten and simplify VT Enterprise UI</b>. Following feedback from multiple users we have started to flatten the new VT Enterprise UI, making sure there is not a mix of colors and styles that distracts researchers from their core goal when using the platform. This includes small tweaks such as forcing grayscale on file desktop icon images and recovering its original color only when hovering over the particular file result row.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ppfb76ZxvIQ/XR5jyiVffXI/AAAAAAAAKCQ/ZTHvsm-_EwEwrvRNqFR7-0am8_voukx3QCLcBGAs/s1600/flatten.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="282" data-original-width="1331" height="134" src="https://1.bp.blogspot.com/-ppfb76ZxvIQ/XR5jyiVffXI/AAAAAAAAKCQ/ZTHvsm-_EwEwrvRNqFR7-0am8_voukx3QCLcBGAs/s640/flatten.png" width="640" /></a></div>
<h3>
What's fixed?</h3>
<ul>
<li><b>VT Intelligence multisearch regular expression</b>. VT Enterprise users can paste any random text into the main search bar in VirusTotal, the text will get automatically parsed and relevant indicators of compromise will be extracted (hashes, domains, IP addresses and URLs), then a search for all those observables will be conducted. The pattern to match hashes was not matching hashes immediately preceeded by random text and a colon, without any other stop character. This has been fixed and now repeated strings of the form <i>whatever:2340620f189d821181d42f03eff4cc30c19f576514c5eebad83ad011cabf989a</i> should match. This specifically applies to the text downloadable output of retrohunt jobs.</li>
<li><b>APIv3 search and download endpoint quota consumption</b>. When using <a href="https://developers.virustotal.com/v3.0/reference" target="_blank">APIv3</a> there was a bug whereby calls to the <a href="https://developers.virustotal.com/v3.0/reference#intelligence-search" target="_blank">file search</a> and <a href="https://developers.virustotal.com/v3.0/reference#files-download" target="_blank">file downloads</a> endpoints would end up consuming VT Intelligence search and download quota even if you had licensed the premium API. As of now the logic always benefits the user, if you only have VT Intelligence access it will consume search and download quota, if you have both VT Intelligence and VT Premium API or just VT Premium API, it will consume API lookup quota.</li>
<li><b>Display ROM BIOS inner PE GUIDs</b>. The new VT Enterprise UI was missing the GUIDs for PE files found within <a href="https://www.virustotal.com/gui/file/4fff8c151f6844bf2a3ff60f799d0ab01002919760115342415bac98b674b001/relations" target="_blank">ROM BIOS images</a>, this data point has been recovered and can be seen upon opening the details of the pertinent contained artefact.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-m-AtEmhGf40/XR5kxcHnQfI/AAAAAAAAKCc/bwt_idfY2BgUMkikqJXwjc6VnXuViBrDgCLcBGAs/s1600/rombios.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="304" data-original-width="634" height="305" src="https://1.bp.blogspot.com/-m-AtEmhGf40/XR5kxcHnQfI/AAAAAAAAKCc/bwt_idfY2BgUMkikqJXwjc6VnXuViBrDgCLcBGAs/s640/rombios.png" width="640" /></a></div>
Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.com