Documentation

Advanced Hunting

Threat hunting stands apart from traditional security methods by being proactive, not reactive. While most security tools wait for an alert, threat hunting actively seeks out threats and suspicious activity that may have slipped past your defenses. This approach is essential for:

  • Finding new and unknown threats before they cause damage.
  • Spotting suspicious anomalies that might signal a cybercriminal at work.
  • Discovering additional malicious artifacts associated with known attackers.

How can Google Threat Intelligence help you?

Google Threat Intelligence provides a powerful platform for threat hunters, fueled by a massive, continuously updated database. This data comes from our security partners and, most importantly, our global community. Our hunting capabilities help you:

  • Find new, unknown malicious activity and threat actors.
  • Spot suspicious anomalies that might be abused by cybercriminals.
  • Find additional malicious artifacts used by known attackers.

LiveHunt is a service that allows you to monitor the real-time stream of files submitted to Google Threat Intelligence. You can create your own YARA rules, and when a file matches a rule, you'll be notified instantly. This lets you classify new threats by family, discover new malicious IoCs that antivirus engines might have missed, and find files, URLs, IPs or domains with specific properties.

LiveHunt leverages the immense scale of Google's data with the flexibility of YARA, providing the perfect tool for monitoring any new suspicious activity based on your own custom criteria. All matches from the job will appear in your IOC Stream, giving you an immediate view of the results. You can also download matched files for further study, and the entire process can be automated using our REST API.

RetroHunt allows you to apply a YARA rule to our extensive historical dataset to discover older versions of attacks. A single RetroHunt job scans over 600 TB of files from the past year, helping you understand how a threat has evolved over time.

You can find detailed information about the creation of YARA rules in the YARA documentation.

Use case

Hunting for malware behavior

Once found suspicious behavior in a malware’s analysis, we can create a YARA rule that matches against it. Use the structure tool to help writing the rule faster, and learn how to tune your rule to reduce noise or false positives.

How to do it

  1. Navigate to the ruleset creation section within Google Threat Intelligence.
  2. Use the Structure tool on the left menu, enter a hash of a file you previously analyzed and click on the behaviors you want to match.
  3. Each click will create a new rule, combine them together to form a comprehensive one.
  4. Use the Test tool to ensure a match with the original file while excluding any known false positives.
  5. Save and activate your Livehunt rule. You will receive notifications in IoC Stream and email addresses (if configured), when new samples matching your criteria are observed.
import "vt"

rule remcos_persistence {  
  condition:  
     for any ips in vt.behaviour.ip_traffic: (  
      ips.destination_ip == "87.120.186.37"  
    ) and  
    for any reg_keys in vt.behaviour.registry_keys_set: (  
      reg_keys.key contains "\\Microsoft\\Windows\\CurrentVersion\\Run\"  
    )  
}

This YARA rule triggers if a file communicates with the selected IP address and modifies a registry whose path contains the specified string.

Updated about 13 hours ago