Sending the results of your Sysmon process information to VirusTotal using process hashes is fairly straightforward. First you will need to register an account with VirusTotal to receive an API key–the free registration type will limit you to a modest number (4) of submissions per minute, but works well for establishing a Proof-of-Concept for your project and testing code.
Let’s begin with a basic piece of coding that checks a hash against VirusTotal. In the last article we described using Sysmon to get the hashes to Splunk, and the Splunk SDK to get them to Python. Now we actually do something with them.
Refer to the VirusTotal API page for detailed examples of what types of things one may do. If you have never programmed using a RESTful API before and believed it was a dark art that only highly paid programmers dare undertake, you will be pleasantly surprised how accessible the techniques are to a security specialist. The modules available in Python make it painless as one need not learn how to format HTTP requests. The VirusTotal API provides examples in Python that you can copy and implement.
If you want to learn more about the Requests module that takes care of all the formatting details associated with HTTP Get Requests, check out this link for descriptions and tutorials. Otherwise, feel free to concentrate on consuming the data versus the minutia of the communication.
'''
Simple program to exercise VirusTotal API
Check out VirusTotal API documentation at:
https://developers.virustotal.com/reference#getting-started
'''
import requests
def get_hash_check(paramsl):
''' procedure to call the REST API and check a single hash
'''
url = 'https://www.virustotal.com/vtapi/v2/file/report'
return requests.get(url, params=paramsl)
def get_params(filename):
'''read values from a file and get parameters
if your key is in a file with format
apikey=<yourapikey>
resource=<hash>
'''
myparams = {}
with open(filename) as myfile:
for line in myfile:
key, value = line.partition("=")[::2]
myparams[key.strip()] = value.strip()
return myparams
def main():
# data
filen = 'settings.txt'
# get the params from file
params = get_params(filen)
# get the results
response = get_hash_check(params)
# response is type requests and has a json method
print(response.json())
if __name__ == '__main__':
main()
In this case, I used a hash of the ubiquitous hacker and pentester’s tool Mimikatz to incite a positive response. In raw JSON, the response is long and messy–here is a snippet:
{‘positives’: 44, ‘scan_date’: ‘2019-07-23 12:43:24’, ‘response_code’: 1, ‘scan_id’: ‘e32a750f0316199e83d5919708b25b12634969dea31ff8a49c09f392f8e9a2f3-1563885
804′, ‘scans’: {‘Microsoft’: {‘detected’: True, ‘version’: ‘1.1.16200.1’, ‘update’: ‘20190723’, ‘result’: ‘HackTool:Win32/Mimikatz.E’}, ‘Cyren’: {‘detected’:
True, ‘version’: ‘6.2.0.1’, ‘update’: ‘20190723’, ‘result’: ‘W64/S-b61adc75!Eldorado’}, ‘F-Prot’: {‘detected’: False, ‘version’: ‘4.7.1.166’, ‘update’: ‘20190
723′, ‘result’: None}, ‘ViRobot’: {‘detected’: False, ‘version’: ‘2014.3.20.0’, ‘update’: ‘20190723’, ‘result’: None}, ‘AhnLab-V3’: {‘detected’: True, ‘versio
n’: ‘3.15.3.24531’, ‘update’: ‘20190723’, ‘result’: ‘Trojan/Win32.Mimikatz.R262842’}, ‘Zoner’: {‘detected’: False, ‘version’: ‘1.0’, ‘update’: ‘20190723’, ‘re
sult’: None}, ‘Alibaba’: {‘detected’: True, ‘version’: ‘0.3.0.5’, ‘update’: ‘20190527’, ‘result’: ‘HackTool:Win32/Mimikatz.856f8946’}, ‘K7GW’: {‘detected’: Tr
ue, ‘version’: ‘11.58.31548’, ‘update’: ‘20190723’, ‘result’: ‘Hacktool ( 0043c1591 )’}, ‘Endgame’: {‘detected’: True, ‘version’: ‘3.0.12’, ‘update’: ‘2019052
2′, ‘result’: ‘malicious (high confidence)’}, ‘Cylance’: {‘detected’: True, ‘version’: ‘2.3.1.101’, ‘update’: ‘20190723’, ‘result’: ‘Unsafe’}, ‘Arcabit’: {‘de
tected’: True, ‘version’: ‘1.0.0.850’, ‘update’: ‘20190723’, ‘result’: ‘Application.Mimikatz.2’}, ‘Rising’: {‘detected’: True, ‘version’: ‘25.0.0.24’, ‘update