Investigations on malicious activity usually start with small crumbs and pieces of a puzzle. Analysts will never have a full picture of the attack under investigation, only attackers know, but probably that’s not necessary either. What is needed is to retrieve the context necessary to achieve the goal of the investigation.
Every piece of the puzzle can be used to obtain new pieces. Then, we repeat the process until we don’t find any more clues, or we are satisfied with the results. In this case, the pieces of the puzzle will be Indicators of Compromise (IOCs), usually hashes, domains and IPs.
IOC’s are identified of below source categories
- Dropped files: Interesting files written to disk during sandbox execution. Extremely useful to find what dropper was used for any specific malware.
- Overlay children: Files that are contained as overlay in another sample. Once again, finding information about the parent of some malware sample helps understanding the whole execution chain and properly reproduce the attack.
- PCAP children: Files seen inside the communication traffic for an uploaded PCAP file. Another valuable source of information, as the communication between samples and Command and Control servers can shed light on the artifacts used by attackers once having a foothold in the victim.
- PE Resource children: PE files contained into another file as a resource. Similar to the cases above where we want to find the parent of the malware, this time hiding in a different place.
- In the wild (ITW) IP addresses: We have seen this file being downloaded from these IP addresses. This is how we know how the malware was distributed. It could help to find the malicious infrastructure used by attackers, but also hacked sites used as watering holes for example.
- Email attachments: Files that were distributed through email as attachments. Spear phishing is still the most popular method employed by attackers to distribute malware. This relationship helps confirm what artefacts were spread this way.
You can use the have: modifier with the newly added relationships for your searches in the following
For URLs we also have the following new relationships:
- Communicating files: Given an URL, we can find all files presenting any sort of traffic to it. This helps us understand what files were distributed from some malicious infrastructure or compromised website. Additionally, understanding what legitimate files communicate with a given URL can also provide a valuable insight, for instance for detecting suspicious supply chain activity.
- Referrer files: Any file that contains the given URL on its strings. Maybe we didn’t see these files directly communicating with a given URL but it could be they are only the component containing the configuration.
In addition to all these relationships, we are also stepping up our passive DNS capabilities. As a result, you can now find the following records for domain resolutions in VirusTotal:
- CAA records
- CNAME records
- MX records
- NS records
- SOA records
