velociraptor
velociraptor copied to clipboard
Velocidex
VirusTotal support built-in Velociraptor
May I request VirusTotal integration to be added as a configurable option in some of the artefacts that pull hashes, URLs or IPs. I suggest the following ones in particular :
- Windows.System.Pslist
- Windows.Sysinternals.Autoruns
The user would have to supply his VirusTotal API key in the parameters.
I appreciate that @ecapuano shared a useful notebook on this here, but I would love to see this baked right in Velociraptor, as it would help to quickly triage systems for known malware.
Thanks in advance and cheers for the great tool :)
I will add that Velociraptor may be eligible for a free VirusTotal API key with higher quota, details here : https://support.virustotal.com/hc/en-us/articles/115002100149-API
We already have VT hash lookup on the server side with Server.Enrichment.Virustotal. Similarly (although not endorsed workflow) is Server.Enrichment.Virustotal.FileScan.
@mgreen27 thanks.
For the Windows.Sysinternals.Autoruns artefact, it is worth noting that autorunsc supports querying VirusTotal using the following options :
-
-v[s]: Query VirusTotal for malware based on file hash. Files reported as not previously scanned will be uploaded to VirusTotal if thesoption is specified. -
-vt: to accept the VirusTotal terms of service
As such, it would be great to have these options added as parameters in Windows.Sysinternals.Autoruns. Just imagine how handy it would be to scan an entire fleet of hosts for known malicious startup keys.
Source: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns#autorunsc-usage
This is probably not what you want - having 10k endpoints directly query VT at the same time for potentially the same binaries will use the API quota pretty fast and may even trigger ddos protections. Also pushing the API key to the endpoint may compromise it.
This is probably not what you want - having 10k endpoints directly query VT at the same time for potentially the same binaries will use the API quota pretty fast and may even trigger ddos protections. Also pushing the API key to the endpoint may compromise it.
Agreed. What I would really want is to use the VT querying capability built-in Autorunsc to scan endpoints for known malicious auto-run keys.
This is what Server.Enrichment.Virustotal is for. Collect Autoruns > reduce/dedup > enrich with VT lookups.
This is what Server.Enrichment.Virustotal is for. Collect Autoruns > reduce/dedup > enrich with VT lookups.
What I am suggesting here is different: VT lookups would be done by autorunsc on the client side with no need to specify a VT API key.
Doing it using the Server.Enrichment.Virustotal.FileScan is a different approach which has some drawbacks :
- it requires an API key
- it is capped by the API limit
- it requires effort to reduce/dedup the entries found by autoruns, which could be consequent if we are talking about thousands of clients
How does autorunsc work without and API key? does it have some kind of free limit?
How does autorunsc work without and API key? does it have some kind of free limit?
They have probably applied for a special privilege using the instructions here : https://support.virustotal.com/hc/en-us/articles/115002100149-API
It is a win/win situation for VT, Autoruns and the community, as autoruns would - if instructed - upload unknown samples to VT, thus enriching the VT knowledge base.
If you wish to run autorunsc with the VT flag, you can very easily clone the Artifact and make it behave the way you want. I do not recommend making this change to the default artifact because I know from experience that enabling this flag across many systems in an environment will cause API problems once VT blocklists your IP address. Also -- automatic upload of samples to VT is a horrible practice and should be avoided at all costs.
Eric Capuano
CTO
Recon InfoSec 800-618-7080 | 512-557-1885 @.*** www.reconinfosec.com [image: twitter] https://twitter.com/eric_capuano [image: linkedin] https://www.linkedin.com/in/ecapuano/
On Tue, Jul 12, 2022 at 4:53 AM HCyber @.***> wrote:
How does autorunsc work without and API key? does it have some kind of free limit?
They have probably applied for a special privilege using the instructions here : https://support.virustotal.com/hc/en-us/articles/115002100149-API
It is a win/win situation for VT and Autoruns and the community, as autoruns would - if instructed - upload unknown samples to VT, thus enriching the VT knowledge base.
— Reply to this email directly, view it on GitHub https://github.com/Velocidex/velociraptor/issues/1931#issuecomment-1181558911, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAGGLVASQMU47XWYBRRF4DVTU6BHANCNFSM53DY24TA . You are receiving this because you were mentioned.Message ID: @.***>
--
NOTICE
Trust but verify!
A Recon employee will never request sensitive information or access to systems via email or any other insecure means of communication. Please never send sensitive information to Recon via email or any other insecure channel.
If ever in doubt about the integrity of any communications claiming to be from Recon, immediately forward it to @.*** @.**> and/or call the contact number on our website as soon as possible.
PR #2039 added a Send to Virus Total right click menu for spot checks as well.
I dont think there is more to do here ?
IMHO, this presents a challenge as VT API access is expensive and limited… unless you’ve got a ridiculously high API limit ($$$), you really want to use notebooks to filter down (exclude signed, etc) before just blasting every hash to VT… just my two cents.
On Sat, Jul 9, 2022 at 2:05 PM HCyber @.***> wrote:
May I request VirusTotal integration to be added as a configurable option in some of the artefacts that pull hashes, URLs or IPs. The following ones in particular :
- Windows.System.Pslist
- Windows.Sysinternals.Autoruns
The user would have to supply his VirusTotal API key in the parameters.
I appreciate that @ecapuano https://github.com/ecapuano shared a notebook on this here https://twitter.com/eric_capuano/status/1531795493738713088, but I would love to see this baked right in Velociraptor, as it would help to quickly triage systems for known malware.
Thanks in advance and cheers for the great tool :)
— Reply to this email directly, view it on GitHub https://github.com/Velocidex/velociraptor/issues/1931, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAGGLQTFP6RYKH2YHZVIADVTHEORANCNFSM53DY24TA . You are receiving this because you were mentioned.Message ID: @.***>
--
Eric Capuano
CTO
Recon InfoSec 800-618-7080 | 512-557-1885 @.*** www.reconinfosec.com [image: twitter] https://twitter.com/eric_capuano [image: linkedin] https://www.linkedin.com/in/ecapuano/
--
NOTICE
Trust but verify!
A Recon employee will never request sensitive information or access to systems via email or any other insecure means of communication. Please never send sensitive information to Recon via email or any other insecure channel.
If ever in doubt about the integrity of any communications claiming to be from Recon, immediately forward it to @.*** @.**> and/or call the contact number on our website as soon as possible.