VirusTotal Intelligence: A goldmine of Closed Source Intelligence (CSINT)

The purpose of this post is to document hunting procedures leveraging VirusTotal Intelligence [1]. The technique is documented as T1597.002 - Search Closed Sources: Purchase Technical Data in the MITRE ATT&CK framework [2].

The procedures discussed in this post may introduce alternative routes of acquiring intelligence for Red Team Assessments (RTA) beyond the documented Open Source Intelligence counterparts.

The post is divided in the following sections:

Pivoting on VirusTotal Intelligence
Risk Mitigation
Search Modifiers Summary Table
References

Pivoting on VirusTotal Intelligence

VirusTotal has the potential to become a useful tool in the arsenal of a Red Team seeking to identify sensitive information of a target network. Public literature [3] indicates that sensitive information indeed finds its way to VirusTotal, access to which - primarily - threat intelligence analysts have. This post aims to increase the awareness among offensive teams through high-level examples of searches that can be made on VirusTotal.

A quick and easy way to search on VirusTotal that additionally does not require knowledge of YARA, is through VTGrep [6]. VirusTotal from time to time publishes useful posts, one of which is the ‘VT Intelligence Cheat Sheet’ [5] that gives an insight of how to use the available search modifiers. A curated list of official articles that discuss the supported functionality is available at [9].

What makes VirusTotal the goldmine it is, is the combination of the resources it hosts (files, domains, URLs) and the connection between these resources. A user can easily pivot to many other resources starting from a certain point.

The sections that follow provide generic examples about searches and the results these may return.

Mail Addresses

Mail addresses and their respective structure constitute an important piece of information attackers are after. This is because an email address may be used for phishing activities at a later stage in the attack liecycle and because it likely reveals the internal username.

Assuming the domain of the target organization we are after is nxfictionaldomainnx.com, we can use VirusTotal to search for email addresses of users. The VirusTotal search modifiers that can be used for this purpose, is the content modifier. The following search will return any files that contain email addresses:

content:”@nxfictionaldomainnx.com”

In my experience, a search like the above may return matches within:

password dumps
emails (.eml or .msg)
html pages
portable executable (PE)
other types of files

Of particular interest for further pivoting are the password dumps as well as the email files. It is very common for users to use their work email address to sign up for services they use privately (such as forums). If they additionally sign up re-using the password of their work account then a leak of that password through a third-party compromise could allow an attacker access the work account as well. There are many marketplaces in the internet that trade compromised accounts.

One of the very first steps of reconnaissance is the acquisition of bounced emails to investigate if information from internal systems is returned within the email headers. This step may actually not be required if email files exist on VirusTotal. Additionally, this prevents communicating with the target infrastructure directly. By analyzing an email file it is possible to identify what systems have forwarded the email (hops) and the structure of the internal domain name (for example nxfictionaldomainnx.local).

The information acquired in this step can drive further searches on VirusTotal or on other search engines to identify additional hosts, software in use or even credentials posted publicly. It is quite common for developers to post log output from internal systems in public portals. The author, pivoting on an internal domain name, identified a PowerShell console log that discloses a password of a user domain account consistent with an administrator.

Email files obviously contain email addresses and as such can be used to also acquire valid email addresses of employees. Furthermore, the body of an email (the actual content) may reveal sensitive information such as the operating system of the mail server (e.g. included within meeting invites - look for MIME content type ‘text/calendar’), sensitive attachments or even plaintext credentials.The content of an email can also provide information about processes within the targetted organization.

Certificates

When looking for portable executable files (PE) results may include files that are signed with a code signing certificate. VirusTotal parses the certificate, calculates the fingerprint/thumbprint of the certificate and with this process it makes it easy to identify other samples that may have been signed with the same certicate. The search modifier for this search, is:

signature:”<certificate_thumbprint>”

The signature modifier is not limited to only the thumbprint but can also be expanded to include information such as the signer’s name. If the company ‘NxFictionalDomainNx LLC’ produces a software that uses internally and signs it with a certificate, the following search modifier could be used to identify what other sample may have been signed by this company (not necessarily with the same code signing certificate):

signature:”NxFictionalDomainNx LLC”

File Metadata

Documents such as Microsoft Excel, Word, Powerpoint etc, may include the company name - or other information - in the metadata section. Using the company name and the relevant search modifiers it may be possible to identify sensitive company files on VirusTotal. An example search could be the following:

metadata:”<company name>” (type:xls or type:xlsx)

With the above search, someone could find the following information:

sensitive intellectual property of the company (client information, internal processes, sensitive images within the files)
email addresses or names of employees (can later be confirmed on social media and be used for phishing)
internal systems and therefore internal domain names (excel documents may disclose printer names)

The information returned may be used in further searches to identify even more related files.

PDB

Files uploaded on VirusTotal may include debug artifacts such as PDB paths and GUID. These artifacts can become extremely valuable. Pivoting using these may reveal additional useful resources. Internal tools may include PDB paths that disclose internal system names, usernames, software, etc. Parts of the path that look unique are good candidates ffor subsequent searches. The search modifier for file metadata is metadata.

Presuming the fictional PDB path C:\NXFICTIONALDOMAINNX\DEVOPSCICD\Projects\Deployment\Remote\AppServices.pdb is located in a file, the following search could be a good lead for identifying related files:

metadata:”C:\\NXFICTIONALDOMAINNX\\DEVOPSCICD”

For more information about PDB and its use as a threat hunting pivot see reference [7]. An example of the metadata modifier in use to identify documents related to Emotet campaigns is demonstrated in [8].

Relations

This section describes how relations can be leveraged to identify additional related files and provide additional context. As a starting point we have a file that was found using one of the methods that have already been discussed.

VirusTotal parses a file and lists any relations between that file and additional resources. For example, if the submitted file was in a compressed directory, in the relations tab of that file, VirusTotal will list the compressed parent as well as all the other files that might be included in the compressed parent. In another example, if a file makes a request to a domain, a URL or communicates with an IP address, these will be listed in the relations tab. Therefore, the users of VT Intelligence can easily pivot to these domains, URLs or IPs to identify additional files that may have these resources in common.

Submitter ID

When a submission is made to VirusTotal, the submitter is assigned an ID - the submitter ID. It is possible to monitor submissions on VirusTotal using the API [4] and identify addtional samples that have potentially been submitted by the same submitter. However, it must be noted that this functionality was not designed for this purpose and therefore it may not be a reliable way of jumping into conclusions.

Learning from others

Although this section does not describe a certain search with search modifiers, it stands on its own to highlight the knowledge that teams can acquire by finding data on VirusTotal. More specifically, individuals can use the findings from VirusTotal to improve their understanding on what techniques or payloads other teams are using and get inspiration to add these techniques in their workflow. Going a step further, the observed techniques can be improved to evade detections or example or be combined with additional techniques to create new attack paths which can be used to assess the maturity of implemented defenses.

Risk Mitigation

Organizations should be monitoring VirusTotal to identify any sensitive internal information that may have been exposed - intentionally or unintentionally. Sensitive information uploaded to VirusTotal may present a risk to business operations. If it is not possible to build and maintain the capability internally, organizations should seek assistance from companies that offer Threat Intelligence services.

Search Modifiers Summary Table

search modifier	search result
content:”@<fqdn>” content:”@<fqdn>” type:pdf	employee email addresses email headers internal systems sensitive emails around internal processes
content:”<fqdn>”	potentially relevant binaries/internal tools command line history logs with credentials
metadata:”\<directory>\”	files that include this metadata
signature:”<company_name>” signature:<certificate_thumbprint>	signed binaries

References

[1] https://www.virustotal.com/gui/intelligence-overview

[2] https://attack.mitre.org/techniques/T1597/002/

[3] https://www.otorio.com/blog/manufacturers-unknowingly-leak-classified-project-files/

[4] https://developers.virustotal.com/reference/feeds-file-hourly

[5] https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html

[6] https://support.virustotal.com/hc/en-us/articles/360001386897-Content-search-VTGrep-

[7] https://www.mandiant.com/resources/blog/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware

[8] https://0xdf.gitlab.io/2019/05/22/emotet-pivot.html

[9] https://support.virustotal.com/hc/en-us/sections/360000340597-VT-Enterprise

tags: #reconnaissance