The VirusTotal cheatsheet makes it simple to search for particular results

VirusTotal published a cheatsheet to assist researchers in creating queries that lead to specific results on the malware intelligence platform.

The file search modifiers are useful for refining output , but this cheat sheet demonstrates how they can work together in real-world situations to locate specific data.

Searches that are more specific

Alexey Firsh, a Google security engineer, posted examples in a Monday blog posting of ways that the cheat sheet could be used to locate files related to specific entities, groups, activities, networks and non-Windows malware.

Analysts can search for files using a particular ‘entity’ search modifier. This allows them to look up IP addresses, domains URLs or files. This collection will also contain .

VirusTotal cheat sheet – modifiers for ‘entity’ search

Firsh explains that it is possible to combine the names of malware families or campaigns with the verdicts of antivirus engines using VirusTotal in order for researchers to track the footsteps of a threat actor.

This is a great method to detect advanced attackers. It would also uncover similar data within collections curated and maintained by different users on the VirusTotal platform.

VirusTotal cheat sheet – finding specific group activities

You can narrow down your search or mix it with crowdsourced queries (YARA, IDS and Sigma).

VirusTotal cheat sheet – detecting APT activity

VirusTotal’s Cheat Sheet contains examples of real-world cases in which file search modifiers can filter data from specific vendors or emails sent by a particular server.

You can use keywords to find files that are compatible with other operating systems, such as Android, macOS and Symbian.

The Android samples are processed with the free tool to look inside packages. This includes code strings and manifest entities.

The ability to search for specific package names is a relatively new function. This works with files that were indexed before March 2022.

Although is only three pages, the cheat sheet of VirusTotal (PDF) contains multiple keyword categories to help you find suspicious or malicious files.

This can be used to quickly link malware with operations by known or unknown actors, as well as to discover new lurking threats.

VirusTotal intends to make the cheat sheet more user-friendly by adding new options. This would allow for faster, easier and better targeted search of intelligence via the platform.