Using VirusTotal API v3 Data to Detect Malicious Activity — Part 1

Background

What We Need

  1. Splunk
  2. Splunk App — URL Toolbox
  3. VirusTotal API Key (Premium API v3 Key recommended)

Configure the VirusTotal External Lookup in Splunk

VirusTotal API v3 Domain Output
  1. WHOIS — this date is the creation date extracted from the Domain’s whois information (UTC timestamp). NOTE — VirusTotal passively collects DNS information so that field may be blank if it hasn't collected that information yet.
  2. Last Analysis Positive — the number of AV engines that consider the domain malicious.
  3. Certificate Issuer — the certification authority who issued a certificate for the domain. Only will be available if the site has an SSL/TLS certificate associated with it.
  4. Categories — categories web proxy services assigned to the domain.

The Detection

Example Search Results

Conclusion

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Monster Baby Born Game Hack Free Resources Generator

{UPDATE} My Mammott Hack Free Resources Generator

Sunday Reading — September 8, 2019

{UPDATE} Jackpot Giant Slot Machine Hack Free Resources Generator

TLS / SSL — The 15000 foot view

INCI.FINANCE: DEFI PLATFORM AT ITS BEST, GET IT AND GET FINANCIAL STABILITY

The internet is hooked on packages. Hackers have noticed

{UPDATE} Faraway 6: Galactic Escape Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

Task Scheduler for hackers

THM: Pickle Rick Writeup

CTF Ware : Part 003 — Requests.txt & Executables.

THM: Git Happens