The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach
从VT Intelligence 查询到VT Livehunt 规则的途径:CTI分析师方法
This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations.
本篇文章将介绍从 VT Intelligence 查询创建 VT Livehunt 规则的过程。这个过程在威胁狩猎和威胁情报工作中很常见。
Let’s assume that, as a threat hunter, you created robust VT intelligence (VTI) queries getting you reliable results without false positives. Your queries are so good that you run them daily to obtain fresh new samples, which is a tedious job to do manually (pro tip - you can automate using the API).
假设作为一名威胁狩猎者,你创建了强大的 VT intelligence(VTI)查询语句,这个查询语句给你带来了可靠的结果,并且没有误报。你的查询语句实现的功能非常强大,以至于你每天都要运行这些查询语句来从VT获取新的样本,而这是一项繁琐的手动工作(专业提示--你可以使用 API 自动执行这个过程)。
A good alternative would be converting your VTI query into a LiveHunt rule, so you will be immediately notified every time any uploaded indicator matches your criteria. Unfortunately, there is not an automated way to convert intelligence queries into LiveHunt rules (and vice versa), and in some cases it is not even possible to obtain exactly the same results (technical tldr - due to limitations of the stored data structure).
一个好的替代方法是将 VTI 查询转换为 LiveHunt 规则,这样每次上传的文件与你的 LiveHunt 规则相匹配时,你就会立即收到通知。遗憾的是,目前还没有自动将 intelligence 查询转换为 LiveHunt 规则的方法(反之亦然),在某些情况下甚至无法获得完全相同的结果(技术提示--由于存储数据结构的限制)。
But do not despair. In this post we are going to show many practical cases showing LiveHunt rules based on VT intelligence queries, how you can do it yourself, and pros, cons and limitations for this approach.
但不要绝望。在这篇文章中,我们将展示许多基于 VT intelligence 查询转换为 LiveHunt 规则的实际案例,包括如何动手亲自实践,以及这种方法的优点、缺点和局限性。
The perfect query ̶d̶o̶e̶s̶n̶’̶t̶ exist
完美的查询不存在
Bitter APT
Bitter APT is a suspected South Asian cyber espionage threat group. Security researchers like StopMalvertisin, among others, regularly publish information about this actor in both X and VirusTotal community.
Bitter APT 组织是一个疑似南亚网络间谍威胁组织。StopMalvertisin 等安全研究人员定期在 X 和 VirusTotal 社区发布有关该组织的信息。
To start hunting for files related to Bitter APT, you probably want to subscribe to any attributed VirusTotal collection or the threat actor profile itself.
要开始搜索与 Bitter APT 组织相关的文件,你可能需要订阅任何可归属到Bitter组织的 VirusTotal collection 或属于 Bitter 组织的威胁参与者概况。
https://www.virustotal.com/gui/threat-actor/1e9bd6fe-e009-41ce-8e92-ad78c73ee772/summary
https://www.virustotal.com/gui/collection/alienvault\_627ce58306cce7d0a5ae037a
You can also search for what the community is discussing about this APT directly by searching on community comments. For example, the next query returns samples related to Bitter APT.
你还可以通过搜索社区评论直接搜索社区对该 APT组织的讨论情况。例如,下面的查询语句将返回与 Bitter APT 组织相关的样本。
entity:file comment:"Bitter APT”
When checking these samples’ behavior we can find interesting patterns that can be used to hunt for other similar ones. For instance, Bitter seems to specially like the "chm" file format, as seen in the initial Twitter/X reference and when calculating Commonalities among these files, along with the use of scheduled tasks to achieve persistence on targeted systems, and run the %comspec% environment variable through the scheduled task created to execute msiexec.exe followed by an URL.
在检查这些样本的行为时,我们可以发现一些有趣的模式,用来寻找其他类似的样本。例如,Bitter 组织似乎特别喜欢 “chm” 文件格式,这在最初 Twitter/X 出现的该组织样本和计算这些文件之间的共性时都可以确认这个规律,同时它还使用计划任务在目标系统上实现持久化,并通过创建的计划任务运行 %comspec% 环境变量,接着执行后面跟着一个 URL 的 msiexec.exe 命令行。
All these behavioral characteristics will help us create good LiveHunt rules and queries to detect additional samples. For example:
所有的这些行为特征将帮助我们创建良好的 LiveHunt 规则来查询以检测更多样本。
behavior_processes:"%Comspec%" behavior_processes:"schtasks.exe" tag:chm
The query returns 39 different samples, most of them apparently related to Bitter based on behavior similarities.
查询会返回 39 个不同的样本,根据行为的相似性,其中大部分显然与 Bitter 组织有关。
Now it's time to translate our query into a LiveHunt rule. Certain functionalities available for VTI queries are not ready (yet) in VT LiveHunt and vice versa. We are working to maximize the integration between both systems, and we will get back with more details as we progress in this.
现在是时候将我们的查询转化为 LiveHunt 规则了。VTI 查询中的某些功能在 VT LiveHunt 中尚未准备就绪,反之亦然。我们正在努力最大限度地整合两个系统,我们将在取得进展后提供更多细节。
As we published, we can create a LiveHunt rule from a sample by simply clicking - we are going to create a rule based on 7829b84b5e415ff682f3ef06b9a80f64be5ef6d1d2508597f9e0998b91114499.
正如我们所发布的功能,我们只需点击一下就可以从样本中创建 LiveHunt 规则--我们将基于7829b84b5e415ff682f3ef06b9a80f64be5ef6d1d2508597f9e0998b91114499 创建一个规则。
First, we are interested in identifying the use of the process “schtasks.exe” during sample detonation. In the behaviour details of this sample, we can find “schtasks.exe” in the “Process Tree” and “Shell Commands” sections.
首先,我们对识别样本执行期间 “schtasks.exe” 进程的使用情况感兴趣。在该样本的行为详情中,我们可以在 “Process Tree” 和 “Shell Commands” 部分找到 “schtasks.exe” 。
At the moment, it is not possible to use "Process Tree" in LiveHunt rules, however we can search for processes in "Shell Commands" and "Processes Created" sections to start creating the logic of our rule. In future updates, we will integrate more fields to be used in the creation of LiveHunt YARA rules.
目前,还无法在 LiveHunt 规则中使用 “Process Tree” ,但我们可以在 “Shell Commands” 和 “Processes Created” 部分来搜索进程,进而开始创建规则的逻辑。在未来的更新中,我们将整合更多的字段,用于创建 LiveHunt YARA 规则。
There is no "Processes Created" section, maybe sandboxes were unable to extract such information. But this does not mean it will be the same for future uploaded samples. We will add both the "Shell Commands" and "Processes Created" fields to the condition.
没有“Processes Created” 部分,可能是VT提供的沙箱服务无法提取此类信息。但这并不意味着今后上传的样本也会如此。我们依然将在条件中添加 “Shell Commands” 和 “Processes Created” 字段。
We will follow the same steps to detect the use of the environment variable “%comspec%” in the command line during detonation.
我们将按照同样的步骤检测样本执行期间的命令行中环境变量 “%comspec%” 的使用情况。
We look for the same information in the two sections (shell and processes) and in two different ways as Bitter used upper and lower case letters to spell %coMSPec%. We can simplify this with the "icontains" condition to enforce case insensitiveness.
我们在两个部分(shell 和 processes)中以两种不同的方式查找相同的信息,因为 Bitter 组织使用大小写字母拼写 %coMSPec%。我们可以使用 “icontains” 条件来简化这一过程,从而实现检测规则在匹配时对大小写不敏感。
Finally, we want to add two extra conditions. The first is that samples have the "chm" tag since it is the format we look for. The second is to get notifications exclusively for new uploaded files.
最后,我们要增加两个条件。第一个条件是样本必须带有 “chm” 标签,因为这是我们要查找的文件格式。第二个条件是只接收新上传文件的通知。
And that’s it! You can download and use this YARA rule from our public GitHub, to be integrated into our Crowdsourced YARA Hub in the future.
就是这样!你可以从我们的 GitHub 公共仓库下载(https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/APT\_Bitter\_chm\_files.yar)并使用此 YARA 规则,将来还可以将其集成到我们的众包 YARA Hub 中。
RomCom RAT
BlackBerry Threat Research and Intelligence team published about Targeting Politicians in Ukraine using the RomCom RAT. During the campaign, threat actors used a trojanized version of Remote Desktop Manager.
BlackBerry 威胁研究与情报团队发布了关于使用 RomCom RAT 针对乌克兰政治家的文章。在这次攻击活动中,黑客使用了木马版本的远程桌面管理器。
Taking a look at the behavior of the samples provided in this publication, we can find interesting behavioral indicators to generate a VTI query.
查看公开报告中提供的样本的行为,我们可以找到有趣的行为指标来生成 VTI 查询。
Different samples related to RomCom RAT seem to usually drop DLL files in the path “C:\Users\Public\Libraries” with different extensions, and execute them using “rundll32.exe”. That means there are also file creation events in the same path.
与 RomCom RAT 相关的不同样本似乎通常会在 “C:\Users\Public\Libraries” 路径下投放具有不同扩展名的 DLL 文件,并使用 “rundll32.exe” 执行这些文件。这意味着在同一路径下也会有文件创建事件。
All of these indicators, along with others used by RomCom RAT in different intrusions, can be used to create a potential query that can later be translated into a LiveHunt.
所有这些指标,以及 RomCom RAT 在不同入侵活动中使用的其他指标,都可用于创建潜在 VTI 查询,随后转化为 LiveHunt 规则。
These samples export up to three different functions:
这些样本最多可导出三种不同的函数:
* fwdTst
* #1
* Main
“Main” is probably the most common function exported by many other legitimate DLLs, so we will ignore it. The VTI query we use is as follows:
“Main” 可能是许多其他合法动态链接库导出的最常见函数,因此我们将忽略它。我们使用的 VTI 查询如下:
((behavior_processes:".dll,fwdTst") OR (behavior_processes:"dll\",#1" behavior_processes:"\\Public\\Libraries\\") OR (behavior_processes:*.dll0* behavior_processes:"\\Public\\Libraries\\")) AND ((behaviour_files:*\\Public\\Libraries\\*) AND (behavior:*rundll32.exe*))
Even if you don't know that the "Main" function is common in the use of DLLs, when building our query we would observe a large number of samples matching our logic. For this reason, it is important that before creating a rule we use a query when possible to understand if results align with our expectations, and iterate the condition until we are satisfied with it.
即使你不知道 “Main” 函数在 DLL 文件的使用中很常见,在构建查询时我们也会观察到大量与我们的逻辑相匹配的样本。因此,在创建规则之前,我们尽可能使用查询来了解结果是否符合我们的预期,并迭代条件直到我们满意为止,这一点很重要。
The last query provides samples related both to RomCom RAT and Mustang Panda. This might indicate that both threat actors are using similar procedures during their campaigns.
最后一个查询提供了与 RomCom RAT 和 Mustang Panda 相关的示例。这可能表明两个威胁参与者在其攻击活动期间使用了类似的流程。
To convert this query to LiveHunt, we will split the original query into different sections and adapt them to the rule. As previously explained, the rule will be slightly different from the original query for compatibility reasons.
为了将此查询转换为 LiveHunt 规则,我们将原始查询拆分为不同的部分,并使它们适应规则。如前所述,出于兼容性原因,该规则将与原始查询略有不同。
1. First, we only want DLLs, EXE or MSI files.
2. As a precaution to minimize false positives, we want to skip samples that are not detected as malicious by AntiVirus vendors.
2. 作为最大限度减少误报的预防措施,我们希望跳过反病毒引擎服务未检测为恶意的样本。
3. Something that we can’t do in VT intelligence queries is determine behavioral activity related to file write actions. VTI behavior_files modifier performs a generic search for any literal within file activity, including creation, modification, writing, deletion… LiveHunt gives us more precision to specify our search only for written files during detonation.
3. 在 VT intelligence 查询中,我们无法确定与文件写入操作相关的行为活动。VTI behavior_files 修饰符对文件活动中的任何文字进行通用搜索,包括创建、修改、写入、删除......LiveHunt 为我们提供了更高的精确度,使我们可以指定只搜索样本执行期间写入的文件。
4. Rundll32.exe is used during execution since this DLL should be executed along this sample's process. We will search for it in different fields.
4. 在执行过程中会使用 Rundll32.exe,因为此 DLL 应在此示例的进程中被执行。我们将在不同的字段中搜索它。
5. Finally, we are interested in obtaining the functions exported by the observed DLLs, which are written in the command lines. We are also interested in the existence of a .DLL extension, which will indicate that there is some type of activity involving libraries.
5. 最后,我们对获取观察到的 DLL 导出函数感兴趣,这些函数是在命令行中写入的。我们还对 .DLL 扩展名的存在感兴趣,这将表明存在某种涉及库文件的活动。
You can also find this rule in our public Github repository. Feel free to modify it based on your needs!
你也可以在我们的 Github 公共仓库中(https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/RomCom\_MustangPanda\_Similar\_Behaviors.yar)找到此规则。请根据自己的需要随意修改!
Gamaredon
Our last example is related to the Gamaredon threat actor. As per MITRE “Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine”.
最后一个例子与 Gamaredon 组织有关。根据 MITRE 的说法,“Gamaredon 组织是一个疑似俄罗斯网络间谍威胁组织,其目标是乌克兰的军事、非政府组织、司法、执法和非营利组织”。
The use of the remote template injection technique is common by this threat actor. This feature involves making connections to a remote resource to load a malicious template. The external domains used to host it generally use some URL pattern. According to publications from different vendors, this actor usually registers domains in the “.ru” TLD.
该组织普遍使用远程模板注入技术。此功能涉及连接到远程资源以加载恶意模板。用于托管它的外部域通常使用某种 URL 模式。根据不同来源的公开报告,该组织通常在 “.ru” 顶级域名中注册域名。
Gamaredon also uses the DLL “davclnt.dll” with the “DavSetCookie” function. This behavior is related to flags that may be connected to exfiltration or use of WebDav to launch code. In other words, this is used to load the remote template. We can quickly check this with the following query:
Gamaredon 组织还使用 “davclnt.dll” 文件中的 “DavSetCookie” 函数。此行为可能与渗透或使用 WebDav 启动代码相关的标志有关。换句话说,这是用来加载远程模板的功能。我们可以使用以下查询快速检查这一点:
threat_actor:"Gamaredon Group" behavior:”DavSetCookie"
Putting all this information together, we can create the next VT intelligence query to get samples related to Gamaredon:
将所有这些信息放在一起,我们可以创建下一个 VT intelligence 查询来获取与 Gamaredon 相关的样本:
(behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*) (type:document)
The query is designed to discover file-type documents where the following strings are found during execution:
该查询旨在发现在执行期间找到以下字符串存在的文档类型的文件:
Behavior_processes:
* First we want to identify the use of the string “.ru” in the command line. This will be related to domains with this TLD.
* 首先我们要确定命令行中字符串 “.ru” 的使用。这将与具有ru的顶级域名相关。
* Another string that we want to match in the command line is “DavSetCookie”, since it was used by Gamaredon to accomplish remote template loading.
* 我们要在命令行中匹配的另一个字符串是 “DavSetCookie”,因为 Gamaredon 使用它来完成远程模板加载。
* Finally the string “http” must be in the command line as well.
* 最后,字符串 “http” 也必须在命令行中。
Behavior_network:
* See if there are communications established with domains having the “.ru” TLD.
* 查看是否与具有 “.ru” 的顶级域名建立了通信。
Embedded_domain:
* Domains embedded within the document containing the TLD “.ru”. It is not necessary that a connection has existed. We do it this way in case our sandboxes have had problems communicating or the sample has simply decided not to communicate.
* 包含顶级域名 “.ru” 字符串的文档中嵌入的域名。不一定存在连接。我们这样做是为了防止我们的沙箱出现通信问题或者样本决定不通信。
Embedded_url:
* URLs embedded within the document containing the TLD “.ru”. It is not necessary that a connection has existed. We do it this way in case our sandboxes have had problems communicating or the sample has simply decided not to communicate.
* 包含顶级域名 “.ru” 字符串的文档中嵌入的URL。不一定存在连接。我们这样做是为了防止我们的沙箱出现通信问题或者样本决定不通信。
This VT intelligence query provides results that seem to be consistent with known Gamaredon samples, based on the previously discussed patterns. It is always possible we get false positives among the results.
根据前面讨论的模式,此 VT intelligence 查询提供的结果似乎与已知的 Gamaredon 样本一致。但我们总是有可能在结果中得到误报。
Let's convert this VT intelligence query to a LiveHunt to receive notifications for new interesting files.
让我们将此 VT intelligence 查询转换为 LiveHunt 规则,以接收新的有趣文件的通知。
1. First, we want to make sure the exported DLL function is found for any command line or process-related behavior, as well as finding traces of the “.ru” TLD is found for http communication. It is important to mention that we look for information about the TLD ".ru" and the string "http" in the command lines because it could be the case that the connection is not established, but there was an intention to establish it.
2. Communications are important, for that reason we need to check if there were connections established with domains having the TLD .ru. Remember the next block will match only if communications existed.
2. 通信很重要,因此我们需要检查是否与具有 “.ru” 顶级域名的域名建立了连接。请记住,仅当存在通信时,下一个块才会匹配。
3. And for this example, we are just interested in document files, although you can change it to any other file type to adapt it to your needs.
3. 对于此示例,我们只对文档文件感兴趣,尽管你可以将其更改为任何其他文件类型以适应你的需求。
As usual, you can find and download the YARA rule in our public repository.
像往常一样,你可以在我们的公共存储库中找到并下载 YARA 规则。
Actual limitations
实际限制
We are aware of the limitations that currently exist when translating fields from VT intelligence to LiveHunt rule and vice versa, and we are working to obtain maximum compatibility between both systems. However, for the moment this could be an advantage as they complement each other.
我们意识到当前在将字段从 VT intelligence 查询转换为 LiveHunt 规则时存在的限制(反之亦然),并且我们正在努力获得两个系统之间的最大兼容性。然而,目前这可能是一个优势,因为它们是相辅相成的。
VTI modifiers such as behavior_processes, behavior_created_processes or even behavior are somewhat more generic than the possibilities that LiveHunt currently offers, allowing us to specify whether we want information about the processes created, completed or commands executed.
VTI 修饰符(例如behavior_processes、behavior_created_processes 甚至 behavior)比 LiveHunt 当前提供的可能性更通用,允许我们指定是否需要有关已创建、已完成的进程或已执行命令的信息。
However, something that cannot be used yet in LiveHunt rules is the process tree. On some occasions, dynamic executions of our sandboxes only offer information at the process tree level, which means that this information is not available for our rules. But if you want to search information within the process tree with VT intelligence queries, you can use the “behavior” file modifier. The "behavior" modifier the process tree could be consulted to find information.
但是,LiveHunt 规则中尚不能使用进程树。在某些情况下,沙箱的动态执行仅提供进程树级别的信息,这意味着该信息不可用于我们的规则。但如果你想使用 VT intelligence 查询在进程树中搜索信息,则可以使用 “behavior” 文件修饰符。可以查阅进程树的 “behavior” 修饰符来查找信息。
Wrapping up
总结
Converting VT intelligence queries to LiveHunt rules is getting easier. The recently added "structure" feature in LiveHunt allows creating rules in a much simpler way by clicking on the interesting fields, creating the rule conditions for you and eliminating the need to know all available fields in the VT module.
将 VT intelligence 查询转换为 LiveHunt 规则变得越来越容易。LiveHunt 最近添加的 “structure” 功能允许通过单击感兴趣的字段以更简单的方式创建规则,为你创建规则条件,并且无需了解 VT 模块中的所有可用字段。
This post describes with examples a potential approach that analysts might use for their hunting and monitoring. In particular, using VT Intelligence queries before starting working on a YARA rule is really helpful during the initial fine tuning stage of our condition. This practice minimizes noise and ensures we get quality results before we go for our LiveHunt rule. Finally, a quality VTI query can be translated into a YARA with just a few minor changes.
这篇文章通过示例描述了分析师可能用于搜索和监控的潜在方法。特别是,在开始处理 YARA 规则之前使用 VT Intelligence 查询在条件的初始微调阶段非常有用。这种做法可以最大限度地减少噪音,并确保我们在执行 LiveHunt 规则之前获得高质量的结果。最后,只需进行一些小的更改,即可将高质量的 VTI 查询转换为 YARA 规则。
We hope you find this useful, and as always we are happy to hear from you any ideas or feedback you would like to share. Happy hunting!
我们希望你觉得这很有用,并且一如既往,我们很高兴收到你想要分享的任何想法或反馈。Hunting 快乐!
References that could be interesting
可能有意义的参考材料
* IP address search modifiers: https://developers.virustotal.com/docs/ip-address-search-modifiers
* Domain search modifiers: https://developers.virustotal.com/docs/domain-search-modifiers
* File search modifiers: https://developers.virustotal.com/docs/file-search-modifiers
* Network hunting: Writing YARA rules for Livehunt: https://developers.virustotal.com/docs/nethunt
* File hunting: Writing YARA rules for Livehunt: https://developers.virustotal.com/docs/writing-yara-rules-for-livehunt
