The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach

This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations.

This article provides a comprehensive guide on how to convert VirusTotal Intelligence (VTI) queries into LiveHunt rules. It explains the process of creating rules in a simpler way by using the “structure” feature in LiveHunt, which allows analysts to click on the interesting fields and create the rule conditions without needing to know all the available fields in the VT module. Additionally, the article explains how to use the “behavior” modifier to search information within the process tree.

The article provides examples of how to create Livehunt rules from VT Intelligence queries for three different threat actors: Bitter APT, RomCom RAT, and Gamaredon. For Bitter APT, the article explains how to create a Livehunt rule based on the use of the process “schtasks.exe” and the environment variable “%comspec%” in the command line during detonation. It also explains how to add two extra conditions to the rule: the “chm” tag and notifications for new uploaded files. For RomCom RAT, the article explains how to create a Livehunt rule based on the use of the process “rundll32.exe” and the functions “fwdTst” and “#1” exported by the observed DLLs. It also explains how to add two extra conditions to the rule: the detection of malicious files by AntiVirus vendors and the search for written files during detonation. For Gamaredon, the article explains how to create a Livehunt rule based on the use of the string “.ru” in the command line, the string “DavSetCookie”, the string “http”, the search for communications established with domains having the “.ru” TLD, and the search for domains and URLs embedded within the document containing the TLD “.ru”. It also explains how to add one extra condition to the rule: the search for document files.

The article also explains how to use VT Intelligence queries to minimize noise and ensure quality results before creating a LiveHunt rule. It explains that a quality VTI query can be translated into a YARA with just a few minor changes. Additionally, the article provides references to IP address, domain, and file search modifiers, as well as links to resources on network and file hunting. Finally, the article provides YARA rules for each of the

📓 The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach

👉🏽 This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations. 👉🏽 Comprehensive guide on converting VirusTotal Intelligence queries to LiveHunt rules. 👉🏽 Simplifies the process of creating LiveHunt rules by using the "structure" feature in LiveHunt. 👉🏽 Shows how to use the "behavior" modifier to search for information within the process tree. 👉🏽 Examples of creating LiveHunt rules for three different threat actors: Bitter APT, RomCom RAT, and Gamaredon. 👉🏽 Explains the conditions and variables to include in the LiveHunt rules for each threat actor. 👉🏽 Demonstrates how to add extra conditions to the LiveHunt rules for more precise detection. 👉🏽 Advice on using VT Intelligence queries to minimize noise and ensure high-quality results. 👉🏽 Explains how to translate a quality VTI query into a YARA rule with minor modifications. 👉🏽 Provides references to IP address, domain, and file search modifiers for further information. 👉🏽 Includes YARA rules for each threat actor mentioned in the article.

🔗 source link: https://blog.virustotal.com/2023/10/the-path-from-vt-intelligence-queries.html

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/the-path-from-vt-intelligence-queries-to-vt-livehunt-rules-a-cti-analyst-approach

#VirusTotalIntelligence #LiveHuntRules #ProcessTreeBehavior #ThreatActors #QualityResults