Virus Total Detection

%3CLINGO-SUB%20id%3D%22lingo-sub-1168876%22%20slang%3D%22en-US%22%3EVirus%20Total%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1168876%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20there%20is%20any%20chance%20of%20alerting%20when%20there%20is%20detection%20of%20malware%20in%20Virus%20Total%20but%20not%20ATP.%20Multiple%20times%20there%20have%20been%20malware%20executing%20with%20no%20detection%20in%20ATP%20but%20a%20high%20number%20of%20hits%20in%20VT%20(~50).%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20detect%20this%20with%20Advanced%20hunting%3F%20I%20was%20looking%20at%20the%20%3CSPAN%3EActionType%20%22Antivirusreport%22%20but%20it%20does%20not%20mention%20VT.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1168876%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1195276%22%20slang%3D%22en-US%22%3ERe%3A%20Virus%20Total%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195276%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F554558%22%20target%3D%22_blank%22%3E%40Victor5011%3C%2FA%3E%26nbsp%3BI%20don't%20think%20it's%20possible%20to%20detect%20it%20through%20an%20advanced%20hunting%20query.%20I've%20felt%20the%20same%2C%20virustotal%20does%20detect%20but%20MS%20doesn't.%3C%2FP%3E%3CP%3EYou%20could%20probably%20use%20the%20MS%20Defender%20ATP%20API%20to%20fetch%20the%20SHA1%2C%20or%20an%20advanced%20hunting%20query%2C%20and%20then%20manually%20or%20by%20the%20virustotal%20API%20query%20it.%20However%20-%20it's%20a%20complex%20situation%20to%20get%20real%20alerts%20to%20act%20on%20of%20course.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20that%20good%20at%20API's%20and%20so%20on%2C%20so%20that's%20out%20of%20my%20scope.%20But%20i%20suppose%20that%20this%20would%20work%20with%20some%20scripting%2FAPI%20knowledge%2C%20but%20here%20are%20some%20links%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.virustotal.com%2Fhc%2Fen-us%2Farticles%2F115002100149-API%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.virustotal.com%2Fhc%2Fen-us%2Farticles%2F115002100149-API%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fapis-intro%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fapis-intro%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1196839%22%20slang%3D%22en-US%22%3ERe%3A%20Virus%20Total%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1196839%22%20slang%3D%22en-US%22%3EI%20think%20you%20should%20be%20looking%20into%20MISP%20for%20this%20case%20(%3CA%20href%3D%22https%3A%2F%2Fwww.misp-project.org%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.misp-project.org%2F%3C%2FA%3E).%3CBR%20%2F%3EMISP%20acts%20is%20like%20virus%20total%2C%20but%20open%20source.%20You%20could%20use%20MISP%20to%20push%20custom%20IOC's%20to%20MDATP%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello

 

I was wondering if there is any chance of alerting when there is detection of malware in Virus Total but not ATP. Multiple times there have been malware executing with no detection in ATP but a high number of hits in VT (~50).

Is it possible to detect this with Advanced hunting? I was looking at the ActionType "Antivirusreport" but it does not mention VT.

2 Replies

@Victor5011 I don't think it's possible to detect it through an advanced hunting query. I've felt the same, virustotal does detect but MS doesn't.

You could probably use the MS Defender ATP API to fetch the SHA1, or an advanced hunting query, and then manually or by the virustotal API query it. However - it's a complex situation to get real alerts to act on of course.

 

I'm not that good at API's and so on, so that's out of my scope. But i suppose that this would work with some scripting/API knowledge, but here are some links:

https://support.virustotal.com/hc/en-us/articles/115002100149-API

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/apis-intr...

I think you should be looking into MISP for this case (https://www.misp-project.org/).
MISP acts is like virus total, but open source. You could use MISP to push custom IOC's to MDATP