Examples of network hunting using Livehunt
Uncover new artifacts and infrastructure related to a known campaign
New Files downloaded from URLs with a pattern
Matches: FILE
import "vt"
rule NewFileDownloadedFromUrlMatchingExpression {
meta:
description = "New Files downloaded from URLs with a pattern"
author = "google_ti"
target_entity = "file"
condition:
vt.metadata.new_file and
vt.metadata.itw.url.raw matches /example[.]com\/foo\/.*/
}
⚠️ Finetuned alternatives to regexps matching:
vt.metadata.itw.url.raw icontains "example.com/foo"
vt.metadata.itw.domain.root == "example.com" and vt.metadata.itw.url.path istartswith "/foo"
(for every domain or subdomain of example.com including itself)vt.metadata.itw.domain.raw iendswith ".example.com" and vt.metadata.itw.url.path istartswith "/foo"
(for only example.com subdomains)
New PE files downloaded from URLs with a pattern
Matches: FILE
import "vt"
rule NewExesDownloadedFromSomeURLPattern {
meta:
description = "New PE files downloaded from URLs with a pattern"
author = "google_ti"
target_entity = "file"
condition:
vt.metadata.new_file and
vt.metadata.itw.url.raw matches /example.com\/foo\/.*/ and
vt.metadata.file_type == vt.FileType.PE_EXE
}
URLs matching a pattern that downloads a PE file for first time
Matches: URL
import "vt"
rule UrlsMatchingExpressionDownloadingNewFiles {
meta:
description = "URLs matching a pattern that downloads a PE file for first time"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.downloaded_file.new_for_url and
vt.net.url.raw matches /example[.]com\/foo\/.*/ and
vt.net.url.downloaded_file.file_type == vt.FileType.PE_EXE
}
⚠️ Notice that vt.net.url.downloaded_file.new_for_url
matches once the file
haven't been previously downloaded from that particular URL, it may already be
known in Google Threat Intelligence.
New URLs serving certain hash
Matches: URL
import "vt"
rule NewURLsServingThisFile {
meta:
description = "New URLs serving certain hash"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.new_url and
vt.net.url.downloaded_file.sha256 == "<sha256>"
}
New URL with a pattern serving a new file
Matches: URL
import "vt"
rule NewURLsServingANewFile {
meta:
description = "New URL with a pattern serving a new file"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.new_url and
vt.net.url.downloaded_file.new_for_vt and // For VT
vt.net.url.raw icontains "example.com/foo/"
}
URLs matching a string in its content and served for first time
Matches: URL
⚠️ The content will be new for that particular URL, alternatively you can use vt.net.url.downloaded_file.new_for_vt
to check if it's first time seen in the whole Google TI collection.
import "vt"
rule URLsMatchingContent {
meta:
description = "URLs matching a string in its content and served for first time"
author = "google_ti"
target_entity = "url"
strings:
$cmdlet_str = "CmdletBinding" nocase
condition:
vt.net.url.downloaded_file.new_for_url and
$cmdlet_str
}
New URLs matching certain strings in its content
Matches: URL
import "vt"
rule NewURLsServingFileContentMatchingConditions {
meta:
description = "New URLs matching certain strings in its content"
author = "google_ti"
target_entity = "url"
strings:
$foo = "foo"
$bar = "bar"
condition:
vt.net.url.new_url and
all of them
}
New Domains having communicating files detected
Matches: DOMAIN
⚠️ vt.net.domain.communicating_file.*
refers to a File behavioural analysis that reported this Domain (or URL domain) as part of its indicators.
import "vt"
rule NewCommunicatingDomainForDetectedFiles {
meta:
description = "New Domains having communicating files detected"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.new_domain and
// communicating_file.* refers to a File behavioural analysis that reported this Domain (or URL domain).
vt.net.domain.communicating_file.analysis_stats.malicious > 2
}
New Domains having a specific communicating file
Matches: DOMAIN
⚠️ vt.net.domain.communicating_file.*
refers to a File behavioural analysis that reported this Domain (or URL domain) as part of its indicators.
import "vt"
rule NewCommunicatingDomainForSpecificFile {
meta:
description = "New Domains having a specific communicating file"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.new_domain and
// communicating_file.* refers to a File behavioural analysis that reported this Domain (or URL domain).
vt.net.domain.communicating_file.sha256 == "<sha256>"
}
New Domains reported for a subsequent File behaviour analyses
Matches: DOMAIN
import "vt"
rule EveryCommunicatingDomainForSpecificFile {
meta:
description = "New Domains reported for a subsequent File behaviour analyses"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.communicating_file.sha256 == "<sha256>"
}
⚠️ Fixing communicating_file
to a certain hash means that once Google TI receives a new behavioural report over that file you will be notified.
New Domains observed in behaviour analyses of files with detections
Matches: DOMAIN
import "vt"
rule CommunicatingDomainForDetectedFiles {
meta:
description = "New Domains observed in behaviour analyses of files with detections"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.new_domain and
vt.net.domain.communicating_file.analysis_stats.malicious >= 2
}
Domains observed from detected samples behaviours
Matches: DOMAIN
import "vt"
rule DomainsContactedByADetectedFile {
meta:
description = "Domains observed from detected samples behaviours"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.communicating_file.analysis_stats.malicious >= 2
}
IP addresses observed from detected samples behaviours
Matches: IP
import "vt"
rule IpsContactedByADetectedFile {
meta:
description = "IP addresses observed from detected samples behaviours"
author = "google_ti"
target_entity = "ip_address"
condition:
vt.net.ip.communicating_file.analysis_stats.malicious >= 2
}
New URLs under a specific domain
Matches: URL
import "vt"
rule newURLsUnderDomain {
meta:
description = "New URLs under a specific domain"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.new_url
and vt.net.domain.raw == "example.com"
}
New URLs in subdomains
Matches: URL
import "vt"
rule newURLsInSubDomains {
meta:
description = "New URLs in subdomains"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.new_url
and vt.net.domain.raw endswith ".example.com"
}
Root domain appearing in a sample behavior for first time
Matches: DOMAIN
import "vt"
rule newDomainRelationshipForIOC {
meta:
description = "Root domain appearing in a sample behavior for first time"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.root == "example.com" and
vt.net.domain.communicating_file.new_for_domain
}
IP addresses range appearing in a sample behavior for first time
Matches: IP
import "vt"
rule newIPRelationshipForIOC {
meta:
description = "IP addresses range appearing in a sample behavior for first time"
author = "google_ti"
target_entity = "ip_address"
condition:
vt.net.ip.communicating_file.new_for_ip and
vt.net.ip.ip_as_int >= 3941835776 and vt.net.ip.ip_as_int < 3941836800 // 234.243.166.33/22
}
Unearth malicious infrastructure being used by certain malware toolkits
URLs with pattern and a set of query params
Matches: URL
⚠️ URL matching can be fine-tuned, for example: vt.net.domain.root == "example.com" and vt.net.url.path istartswith "/foo"
import "vt"
rule paramsOverURL {
meta:
description = "URLs with pattern and a set of query params"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.raw matches /example[.]com/ and
for any key, value in vt.net.url.params: (
key == "foo" and
value icontains "bar"
)
}
URL subdomains matching certain GET params
Matches: URL
import "vt"
rule paramsOverSubDomain {
meta:
description = "URL subdomains matching certain GET params"
author = "google_ti"
target_entity = "url"
condition:
vt.net.domain.root == "example.com" and
// vt.net.domain.raw != "example.com" and // enable to skip naked domain matches
for any key, value in vt.net.url.params: (
key == "foo" and
value icontains"bar"
)
}
New Files serverd from a domain matching certain JARM
Matches: FILE
import "vt"
rule NewDownloadedFilesJarmMatching {
meta:
description = "New Files serverd from a domain matching certain JARM"
author = "google_ti"
target_entity = "file"
condition:
vt.metadata.new_file and
vt.metadata.itw.domain.jarm == "00112233445566778899AABBCCDDEEFF"
}
New domains with a specific JARM
Matches: DOMAIN
import "vt"
rule NewDomainJarmMatching {
meta:
description = "New domains with a specific JARM"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.new_domain and
vt.net.domain.jarm == "00112233445566778899AABBCCDDEEFF"
}
IP addresses with SSL/TLS serving with a specific JARM
Matches: IP
import "vt"
rule IPJarmMatching {
meta:
description = "IP addresses with SSL/TLS serving with a specific JARM"
author = "google_ti"
target_entity = "ip_address"
condition:
vt.net.ip.jarm == "00112233445566778899AABBCCDDEEFF"
}
New URLs with certain SSL certificate subject
Matches: URL
import "vt"
rule sslCertificateAttributeMatching {
meta:
description = "New URLs with certain SSL certificate subject"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.new_url and
vt.net.domain.https_certificate.subject.common_name == "*.example.com"
}
URLs with a certain set and amount of HTTP headers
Matches: URL
import "vt"
rule missingAndContainedHTTPHeaders {
meta:
description = "URLs with a certain set and amount of HTTP headers"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.number_of_response_headers == 4 and
for all name, value in vt.net.url.response_headers : (
name != "Content-Encoding"
) and
for any name, value in vt.net.url.response_headers : (
name == "Foo" and value == "Bar"
)
}
URLs with a certain cookie name
Matches: URL
import "vt"
rule cookieWithName {
meta:
description = "URLs with a certain cookie name"
author = "google_ti"
target_entity = "url"
condition:
for any name, value in vt.net.url.cookies : (
name == "SuspiciousCookie"
)
}
New URLs serving content strings and URLscanner detections
Matches: URL
import "vt"
rule MatchHTTPResponseContentAndAnalysis {
meta:
description = "New URLs serving content strings and URLscanner detections"
author = "google_ti"
target_entity = "url"
strings:
$html = "<HTML "
$bar = "bar"
condition:
vt.net.url.new_url
and vt.net.url.analysis_stats.malicious > 1
and $html at 0 and $bar
}
New URLs with URLscanner detections matching potentially malicious HTML/JS strings
Matches: URL
import "vt"
rule MatchEmbeddedJavascriptContent {
meta:
description = "New URLs with URLscanner detections matching potentially malicious HTML/JS strings"
author = "google_ti"
target_entity = "url"
strings:
$html = "<HTML " nocase
$js_script = "script" nocase
$js_unescape = "unescape" nocase
$js_parseint = "parseint" nocase
$js_fromcharcode = "fromcharcode" nocase
condition:
vt.net.url.new_url and
vt.net.url.analysis_stats.malicious > 1 and
$html at 0 and $js_script and
($js_unescape or $js_parseint or $js_fromcharcode)
}
URLs serving strings seen in Google TI for first time
Matches: URL
import "vt"
rule MatchHTTPResponseContentFirstSeen {
meta:
description = "URLs serving strings seen in Google TI for first time"
author = "google_ti"
target_entity = "url"
strings:
$securestring_str = "ConvertFrom-SecureString" nocase
condition:
vt.net.url.downloaded_file.new_for_vt and
$securestring_str
}
URLs serving potential PowerShell content
Matches: URL
⚠️ Useful for filetypes that are not automatically submmited to Google TI (list).
import "vt"
rule MatchPowerShellContent {
meta:
description = "URLs serving potential PowerShell content"
author = "google_ti"
target_entity = "url"
strings:
$mz_header = { 4d 5a 90 }
$cmdlet_str = "CmdletBinding" nocase
$securestring_str = "ConvertFrom-SecureString" nocase
condition:
not ($mz_header at 0) and
($cmdlet_str or $securestring_str)
}
URLs serving new potential PowerShell content
Matches: URL
⚠️ Useful for filetypes that are not automatically submmited to Google TI (list).
import "vt"
rule MatchNewServedPowerShellContent {
meta:
description = "URLs serving new potential PowerShell content"
author = "google_ti"
target_entity = "url"
strings:
$mz_header = { 4d 5a 90 }
$cmdlet_str = "CmdletBinding" nocase
$securestring_str = "ConvertFrom-SecureString" nocase
condition:
vt.net.url.downloaded_file.new_for_url and
not ($mz_header at 0) and
($cmdlet_str or $securestring_str)
}
Domains with certain DNS records
Matches: DOMAIN
import "vt"
rule dnsRecord {
meta:
description = "Domains with certain DNS records"
author = "google_ti"
target_entity = "domain"
condition:
for any record in vt.net.domain.dns_records : (
record.type == "TXT" and
record.value istartswith "v=spf1 include:"
)
}
Track specific threat actors and their newly created infrastructure
URLs with a certain set of HTML meta tags
Matches: URL
import "vt"
rule htmlMetaTags {
meta:
description = "URLs with a certain set of HTML meta tags"
author = "google_ti"
target_entity = "url"
condition:
for any entry in vt.net.url.html_meta_tags : (
entry.key == "generator" and
for any value in entry.values : (
value startswith "Foo"
) and
for any value in entry.values : (
value startswith "Bar"
)
)
}
URLs with a combination of tracker and tracker id
Matches: URL
import "vt"
rule newURLsUsingSpecificTracker {
meta:
description = "URLs with a combination of tracker and tracker id"
author = "google_ti"
target_entity = "url"
condition:
for any tracker in vt.net.url.trackers : (
tracker.name == "Google Analytics" and
tracker.id == "Foo"
)
}
Domains matching Whois key/values
Matches: DOMAIN
⚠️ This will notify new and updated Whois records.
import "vt"
rule WhoisProperties {
meta:
description = "Domains matching Whois key/values"
author = "google_ti"
target_entity = "domain"
condition:
for any key, value in vt.net.domain.whois : (
key == "Foo" and
value == "Bar"
)
}
Domains serving HTTPS with certain a certificate thumbprint
Matches: DOMAIN
⚠️ To match other HTTPS certificate fields check cert struct.
import "vt"
rule httpsCertificate {
meta:
description = "Domains serving HTTPS with certain a certificate thumbprint"
author = "google_ti"
target_entity = "domain"
vt.net.domain.https_certificate.thumbprint == "AABBCCDD"
}
Identify supply chain risk, mainly phishing, against my identity provider or specific companies
URLs containing certain HTML title and serving a favicon dhash
Matches: URL
⚠️ To obtain a dhash check: obtaining a domain favicon dhash.
import "vt"
rule URLsWithMyFavIcon {
meta:
description = "URLs containing certain HTML title and serving a favicon dhash"
author = "google_ti"
target_entity = "url"
condition:
(vt.net.url.html_title contains "Example Bank" or
vt.net.url.favicon.dhash == "5a923260c3c8708f") and
not vt.net.url.raw istartswith "https://www.example-bank.com/"
}
URLs matching string in its URL excluding the canonical URL
Matches: URL
import "vt"
rule URLHostingPhishing {
meta:
description = "URLs matching string in its URL excluding the canonical URL"
author = "google_ti"
target_entity = "url"
condition:
vt.net.url.raw contains "example-bank" and
vt.net.domain.root != "example-bank.com"
}
⚠️ Notice how vt.net.domain.root
condition excludes the root domain and all its possible subdomains.
Attack surface/infrastructure management
Files with positives downloaded from a certain IP range
Matches: FILE
⚠️ To convert an IP range to Integer match you can check: generating IP integer range.
import "vt"
rule maliciousFilesFromMyIPRange {
meta:
description = "Files with positives downloaded from a certain IP range"
author = "google_ti"
target_entity = "file"
condition:
vt.metadata.analysis_stats.malicious > 1 and
vt.metadata.itw.ip.ip_as_int >= 3941835776 and vt.metadata.itw.ip.ip_as_int < 3941836800 // 234.243.166.33/22
}
Files with positives downloaded from a certain URLs
Matches: FILE
import "vt"
rule maliciousFilesFromMyURLs {
meta:
description = "Files with positives downloaded from a certain URLs"
author = "google_ti"
target_entity = "file"
condition:
vt.metadata.analysis_stats.malicious > 1 and
vt.metadata.itw.url.raw matches /mydomain[.]com/
}
IP addresses marked as malicious in an IP range
Matches: IP
⚠️ To convert an IP range to Integer match you can check: generating IP integer range.
import "vt"
rule IPMarkedAsMaliciousFromMyIPRange {
meta:
description = "IP addresses marked as malicious in an IP range"
author = "google_ti"
target_entity = "ip_address"
condition:
vt.net.ip.analysis_stats.malicious > 1 and
vt.net.ip.ip_as_int >= 3941835776 and vt.net.ip.ip_as_int < 3941836800 // 234.243.166.33/22
}
IP addresses serving malicious files
Matches: IP
Useful to monitor your own infrastructure.
import "vt"
rule IPServesMaliciousFile {
meta:
description = "IP addresses serving malicious files"
author = "google_ti"
target_entity = "ip_address"
condition:
vt.net.ip.raw matches /ˆ11\.22\.33\./ and
vt.net.ip.downloaded_file.analysis_stats.malicious > 2
}
Domain serving malicious files
Matches: DOMAIN
Useful to monitor your own infrastructure.
import "vt"
rule DomainServesMaliciousFile {
meta:
description = "Domain serving malicious files"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.raw iendswith "drive.google.com" and
vt.net.domain.downloaded_file.analysis_stats.malicious > 2
}
False positives related to your internet-exposed assets
Files with positives downloaded from a certain Domain
Matches: DOMAIN
import "vt"
rule falsePositivesFromMyDomain {
meta:
description = "Files with positives downloaded from a certain Domain"
author = "google_ti"
target_entity = "domain"
condition:
vt.net.domain.raw == "example.com" and
vt.net.domain.analysis_stats.malicious > 0
}
Updated 22 days ago