├── .gitattributes ├── .gitignore ├── LICENSE ├── README.MD ├── actions.xml └── vt-check.ps1 /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear on external disk 35 | .Spotlight-V100 36 | .Trashes 37 | 38 | # Directories potentially created on remote AFP share 39 | .AppleDB 40 | .AppleDesktop 41 | Network Trash Folder 42 | Temporary Items 43 | .apdisk 44 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 LogRhythm 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.MD: -------------------------------------------------------------------------------- 1 | 2 | #====================================================# 3 | # LogRhythm Labs # 4 | # Virus Total Process Analysis Automation # 5 | # Greg Foss | @heinzarelli | greg.foss@logrhythm.com # 6 | # v0.1 -- November, 2015 # 7 | #====================================================# 8 | 9 | ## [About] 10 | 11 | Requires PowerShell version 3.0 or higher on both the source and target Windows hosts. 12 | 13 | This script interrogates a local/remote systems process and takes a hash of the application that the process was launched from and submits it to Virus Total. If there is a record of that hash, the script will display the results of the previous scan, and if the sample is new, it will submit the sample to be scanned. 14 | 15 | Ideally, this script should be integrated with the organization's Active Defense frameworks to automate rapid analysis of suspect processes and/or files. 16 | 17 | ## [How To] 18 | 19 | #####Run vt-check on local host: 20 | 21 | Check a file against Virus Total using their API 22 | PS C:\> .\vt-check.ps1 -file "C:\Users\taco\Desktop\eicar.txt" -VTApiKey [key] 23 | 24 | Check a running process against Virus Total using their API 25 | Process ID 26 | PS C:\> .\vt-check.ps1 -processID 1234 -VTApiKey [key] 27 | 28 | Process Name (less accurate than process ID if there are multiple processes with the same name) 29 | PS C:\> .\vt-check.ps1 -processName chrome -VTApiKey [key] 30 | 31 | Send results via email 32 | PS C:\> .\vt-check.ps1 -processID 1234 -smtpServer [127.0.0.1] -emailTo [greg.foss[at]logrhythm.com] -emailFrom [virustotal[at]logrhythm.com] -VTApiKey [key] 33 | 34 | #####Run vt-check on remote host: 35 | 36 | PS C:\> .\vt-check.ps1 -remote -target [computer] [arguments - EX: -processID -file -username -password -VTApiKey] 37 | Caveats: 38 | You will need to ensure that psremoting and unsigned execution is enabled on the remote host. // dangerous to leave enabled! 39 | Be careful, this may inadvertently expose administrative credentials when authenticating to a remote compromised host. 40 | 41 | Caveats: 42 | You will need to ensure that psremoting and unsigned execution is enabled on the remote host. <== dangerous to leave enabled!! 43 | Be careful, this may inadvertently expose administrative credentials when authenticating to a compromised host. 44 | 45 | #####What if PSRemoting and Unrestricted Execution are disabled? 46 | 47 | Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run vt-check 48 | 49 | Option 1 -- WMI: 50 | PS C:\> wmic /node:"10.10.10.10" process call create "powershell -noprofile -command Enable-PsRemoting -Force" -Credential Get-Credential 51 | 52 | Option 2 - PsExec: 53 | PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe "Enable-PSRemoting -Force" 54 | 55 | Next... 56 | 57 | PS C:\> Test-WSMan 10.10.10.10 58 | PS C:\> Enter-PSSession 10.10.10.10 59 | [10.10.10.10]: PS C:\> Set-ExecutionPolicy Unrestricted -Force 60 | 61 | Be careful! This will open the system up to unnecessary risk!! 62 | You could also inadvertently expose administrative credentials when authenticating to a compromised host. 63 | 64 | ## [Parameter Breakdown] 65 | 66 | Virus Total API 67 | 68 | -VTApiKey : Virus Total API Key 69 | 70 | The free version will work but understand you are limited in the number of queries allowed per day 71 | It is recommended to hard-code this into the script, so you don't have to enter it every time 72 | 73 | Processes and Files: 74 | 75 | -file : Designates a file to be scanned 76 | -processName: Designates a process name to be scanned 77 | -processID : Designates a process ID to be scanned 78 | 79 | Remote Execution: 80 | 81 | -remote : Switch to run vt-check against a remote host 82 | -target : Define the remote host to extract data from 83 | 84 | Send Virus Total Scan Results via Email: 85 | 86 | -sendEmail : Allows the script to send the HTML report over SMTP 87 | -smtpServer : Sets the remote SMTP Server that will be used to forward reports 88 | -emailTo : Defines the email recipient. Multiple recipients can be separated by commas 89 | -emailFrom : Defines the email sender 90 | 91 | It is recommended to hard-code these values into the script, so you don't have to enter them every time 92 | 93 | Credentials - Required for remote execution and interaction with Active Directory. 94 | 95 | -username : Administrative Username - can be supplied on the command-line or hard-coded into the script 96 | -password : Administrative Password - can be supplied on the command-line or hard-coded into the script <== Bad idea!! 97 | 98 | If neither parameter is supplied, you will be prompted for credentials -- the safest option aside from local execution 99 | 100 | ## [Use Cases] 101 | 102 | #####1) Basic Process Capture and Analysis 103 | 104 | Quickly analyze processes and/or files to check for signs of malware. This can be run locally or remotely as necessary. 105 | 106 | #####2) SIEM Integration for Incident Response Automation 107 | 108 | Integrate the script with your SIEM to automatically scan suspicious processes and/or files with VirusTotal. This script is best-utilized in high-security environments where process monitoring is in place and application whitelisting is in effect. 109 | 110 | ## [Notes] 111 | 112 | Keep in mind that while using a free VirusTotal API key is a great way to gather intel and potentially halt an infection, it will expose these samples to the internet, and thus give away information to a potential attacker. This is bad OpSec and is reason enough to purchase a commercial license to VirusTotal if you are considering running this rule in a production setting. Not only that but be aware that Anti-Virus software is inherently flawed and is unable to detect more sophisticated attacks due to the fact that it primarily relies on signatures. However, by automating VirusTotal scans you gain the power of over 55 different AV vendors covering all new processes/files as opposed to just one AV solution. Chances are, at least one vendor will catch a majority of malware submitted. 113 | 114 | ## [License] 115 | 116 | Copyright (c) 2016 LogRhythm 117 | 118 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 119 | 120 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 121 | 122 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 123 | -------------------------------------------------------------------------------- /actions.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /vt-check.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LogRhythm-Labs/VirusTotal/49b94472a649a31d182252cf11015b031c79a42b/vt-check.ps1 --------------------------------------------------------------------------------