IPCheck.Virustotal :: Velociraptor

IPCheck.Virustotal

Submit a IP to Virustotal. Default Public API restriction is 4 requests/min (Inspired on Virustotal file Check created by Wes Lambert – @therealwlambert).

This artifact can be called from within another artifact

Ex.

SELECT * from Artifact.IPCheck.Virustotal(DestIP=$IP)

EX 2

Check ip into a netstat: Call the artifact -> Windows.Network.NetstatEnriched

`SELECT * FROM source() WHERE DestIP != "127.0.0.1" AND Pid = 14604  (malicious connection)`
VT Notebook analysis.

`LET VTKey <= "Your key"`
`Let Results = SELECT * from source() WHERE DestIP != "127.0.0.1" AND DestIP`
`GROUP BY DestIP`
`SELECT *, {SELECT VTRating FROM Artifact.IPCheck.Virustotal(VirustotalKey=VTKey, ip=DestIP) } AS VTResults FROM foreach(row=Results)`
`ORDER BY VTResults DESC`


name: IPCheck.Virustotal
author: Adrian Lopez Moreno @AdrianX21
description: |
  Submit a IP to Virustotal. Default Public API restriction is 4 requests/min (Inspired on Virustotal file Check created by Wes Lambert -- @therealwlambert).

  This artifact can be called from within another artifact 

  Ex.

    `SELECT * from Artifact.IPCheck.Virustotal(DestIP=$IP)`

     EX 2
     
     Check ip into a netstat: 
     Call the artifact -> Windows.Network.NetstatEnriched
     
      `SELECT * FROM source() WHERE DestIP != "127.0.0.1" AND Pid = 14604  (malicious connection)`
      VT Notebook analysis.
      
      `LET VTKey <= "Your key"`
      `Let Results = SELECT * from source() WHERE DestIP != "127.0.0.1" AND DestIP`
      `GROUP BY DestIP`
      `SELECT *, {SELECT VTRating FROM Artifact.IPCheck.Virustotal(VirustotalKey=VTKey, ip=DestIP) } AS VTResults FROM foreach(row=Results)`
      `ORDER BY VTResults DESC`

type: SERVER

parameters:
    - name: ip
      type: string
      description: IP to check on Virustotal.
      default:

    - name: VirustotalKey
      type: string
      description: API key for Virustotal.
      default:

sources:
  - query: |
        LET Creds = if(
           condition=VirustotalKey,
           then=VirustotalKey,
           else=server_metadata().VirustotalKey)

        LET URL <= 'https://www.virustotal.com/api/v3/ip_addresses/' + ip

        LET Data = SELECT parse_json(data=Content) AS VTData
        FROM http_client(url=URL, headers=dict(`x-apikey`=Creds))

        SELECT format(format='%v/%v',
             args=[VTData.data.attributes.last_analysis_stats.malicious,
                   VTData.data.attributes.last_analysis_stats.malicious +
                   VTData.data.attributes.last_analysis_stats.undetected]) As VTRating,
            timestamp(epoch=VTData.data.attributes.first_seen_itw_date) AS FirstSeen,
            timestamp(epoch=VTData.data.attributes.first_submission_date) AS FirstSubmitted,
            timestamp(epoch=VTData.data.attributes.last_analysis_date) AS LastAnalysis,
            VTData.data.attributes.crowdsourced_yara_results AS YARAResults,
            VTData AS _Data
        FROM Data