Mastering VirusTotal Intelligence: A Comprehensive Guide to VTI Cheat Sheet

Reza Rafati
Estimated read time 4 min read

How often have you found yourself lost in the maze of features and options that VirusTotal Intelligence (VTI) offers? If you’re reading this, chances are you’ve been there.

But fret not, as we bring you a comprehensive guide based on the latest VTI Cheat Sheet V1.21, aimed at enhancing your cybersecurity actions.

Suspicious Documents

Macros in Recent Documents

If you want to find recently created documents with embedded macros detected by at least 5 anti-virus engines, use the query below:

(type:doc OR type:docx) tag:macros p:5+ generated:30d+

Excel Sheets with PowerShell

To search for Excel sheets that contain PowerShell scripts and have been submitted in the last 10 days:

(type:xls OR type:xlsx) tag:powershell fs:10d+

Obfuscated Documents

Looking for documents that are obfuscated? The query below will do the job:

(type:doc OR type:docx) tag:obfuscated

Behavior During Sandbox Detonation

Submission Queries

First Submission

The fs parameter allows you to find the first time a file was submitted. For instance, to find files first submitted between a certain time range:

fs:2012-08-21 16:00:00+ fs:2012-08-21 16:59:22-

Last Submission

Use ls to find out the last time a file was submitted to VirusTotal:

ls

Last Analysis

If you’re interested in the last time a file was analyzed, use la:

la

Number of Submissions

To check the number of times a file has been submitted, you can use the submissions or s parameter:

submissions:10+ submissions:20-

Submission Sources

If you want to find the number of distinct sources that have submitted a file, use sources:

sources

Submitter Information

To get the country code and whether the file was submitted via web or API, you can use submitter:

submitter:websubmitter:BR

VT Analysis

General Parameters

Tags Assigned by VT

To find the tags that VirusTotal has assigned to a file, use tag:

tag

Structure Similarity

If you’re looking for files that are structurally similar to a known file, the similar-to query can be helpful:

similar-to:19b86fe81df05de2b4207e8eb0c3aa40

Anti-Virus Products

Number of AV Detections

To find the number of antivirus detections a file has, use positives or p:

positives:20+ positives:31-

TTPs (Tactics, Techniques, and Procedures)

MITRE ATT&CK Techniques

If you’re interested in samples that match techniques based on MITRE ATT&CK when detonated in a sandbox, use attack_technique:

attack_technique:T1055

MITRE ATT&CK Tactics

To find samples that match tactics based on MITRE ATT&CK when detonated in a sandbox, use attack_tactic:

attack_tactic:TA0003

Web-Related Parameters

Files Downloaded by a Given URL

To find files that have been downloaded by a specific URL or part of it, use itw:

itw:"&abc=", itw:"ya.ru"

Executables and Sandbox

Entity from Sandbox Reports

If you’re looking for specific entities mentioned in sandbox reports, you can use the behavior or behaviour_files: query:

behavior:"explorer.exe"

File System Changes

To identify file system changes during sandbox detonation, you can use behavior_files:

behavior_files:Crack

Executed Processes

To find out which processes were executed during the sandbox detonation, you can use behavior_processes:

behavior_processes:"calc.exe"

Windows Registry Modifications

If you want to identify any changes made to the Windows Registry, use behavior_registry:

behavior_registry:dc971ee5-44eb

Services and Daemons

To find information about services and daemons triggered during sandbox detonation, you can use behavior_services:

behavior_services:TheServiceName

Sandbox Tags

If you’re interested in tags generated by sandboxes, behavior_tags is the query you need:

behavior_tags:mysql_communication

Specific Sandbox Report

To pull a specific sandbox report, you can use sandbox_name:

sandbox_name:VirusTotal

Traffic and Web Analysis

Web Traffic

If you want to find files that have been associated with specific web traffic, you can use the traffic query:

traffic:"google.com"

So, there you have it—your go-to guide to mastering the VirusTotal Intelligence queries. Download the original cheat sheet here and elevate your Virustotal threat hunting game!

  1. https://storage.googleapis.com/vtpublic/reports/VTI%20Cheatsheet.pdf ↩︎
Think This Is Crucial Info? Share to Inform Others!
Avatar for Reza Rafati
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours