Greg Foss
Security Operations Team Lead

VirusTotal SIEM Integration

Without process whitelisting it’s tough for organizations to be sure of what is running on their hosts. Even with whitelisting, malware can masquerade under other files/processes and appear as something legitimate even though it’s really not the program it is pretending to be.

In fact, there are tons of ways around just about every whitelisting security control out there Endpoint monitoring is further complicated by the fact that no one solution is able to accurately analyze all malicious files out there.

The bad guys know these vulnerabilities exist and have specifically crafted their malware attempt to avoid many detection technologies and techniques.

How Can You Fight Back?

For these reasons, security professionals need to take automated response and analysis to the next level. With LogRhythm, we can use a SmartResponse™ to trigger on specific AI Engine alarms on the endpoint and submit both process and file samples scanning services, like VirusTotal for quick analysis based off of events observed within the enterprise.

To automate this process, I built a VirusTotal SmartResponse script based off of the PowerShell script originally created by David Heise. This is a quick and simple way to capture information on processes and/or files, check these samples against VirusTotal via their API, and send reports back to the Security Operations team automatically. This process is ideal for environments where applications are strictly controlled and whitelisting is in place or file integrity monitoring has been implemented.

Whenever a new process or file is observed, it will automatically be check it out using VirusTotal, to see if it has been scanned before and if it flags as malicious with any AV vendors. All you need is a free VirusTotal API Key and PowerShell v3 or higher on both the SIEM and endpoint(s).

NOTE: Use the paid version of VirusTotal if you do not want to display your results publicly / divulge samples to adversaries, also be aware that any sample you upload can be downloaded by someone else, in its entirety.

Download => https://github.com/LogRhythm-Labs/VirusTotal

See it in Action

Once you download and execute the VirusTotal SmartResponse script, you will be able to run scans against processes directly from the command line.

Script Running in Command Terminal

Now running scans against processes directly from the command line is great and all, but we need to get this data to the security operations team. To do this, simply define the sender, recipient, and SMTP server.

Setting Up Automated Email

The email reports vary based on what, if anything, the scans revealed.

Benign Samples:

Benign Samples

Malicious Samples:

Malicious Samples

Previously Unknown Samples (initiates a new scan):

Previously Unknown Samples

The last piece of the script is to allow it to run on remote systems. This is possible with the –remote and –target flags. You can also define –username and –password on the command line or provide administrative credentials at runtime.

Keep in mind that exposing PowerShell remoting will open the system up to unnecessary risk. Ideally, execute these scripts on the endpoint directly via the SIEM agent or manually.

Script Running on Remote System

When integrating with LogRhythm, there are six total actions. This makes it very easy to use with LogRhythm version 7 as you can choose to fire the SmartResponse at will and integrate it with existing AI Engine rules.

SmartResponse Plugin Properties

This is an ideal SmartResponse to implement with modules such as LogRhythm’s Retail Cyber Crime Analytics Suite, as process whitelisting should already be enabled and Point of Sale systems should not be running anything other than their designated software, nor should they be communicating with unknown hosts. If any of this activity is observed, fire a VirusTotal scan on the new process or file to see if it is flagged as malicious.

Keyboard

Something to Remember

I’d like to reiterate, that while using a free VirusTotal API key is a great way to gather intel and potentially halt an infection, it will expose these samples to the Internet, and thus give away information to a potential attacker. Furthermore, all of the samples that you upload to VirusTotal can also be downloaded by paid members. This is bad OpSec and is reason enough to purchase a commercial license to VirusTotal if you are considering running this rule in a production setting.

By automating VirusTotal scans you gain the power of over 55 different AV vendors covering all new processes/files as opposed to just one AV solution. Chances are, at least one vendor will catch a majority of malware submitted.