Query for Sandbox Behavior Fields in vt-cli

Question

Query for Sandbox Behavior Fields in vt-cli

Closed this issue 3 months ago · 2 comments

Query for Sandbox Behavior Fields in vt-cli

Issue Description

I'm trying to use the VirusTotal Command Line Interface (vt-cli) to query specific sandbox behavior fields for a file or URL analysis. However, I'm not sure about the correct syntax or commands to achieve this.

Questions

What is the correct command structure to query sandbox behavior fields using vt-cli?
Are there specific flags or options for filtering sandbox behavior results?
Can you provide an example command that demonstrates how to retrieve instances of specific behaviors?

Environment

vt-cli version:v1.0.1
Operating System: macos

Additional Context

I've tried looking through the vt-cli documentation, but I couldn't find specific information about querying sandbox behavior fields. Any guidance or examples would be greatly appreciated.

Thank you for your help!

Answer 1 · 2024-09-16T15:26:15.000Z

Hello @BlasterXiao,

You can use the following command to query a file's behaviour analyses:

$ vt file behaviours <hash>

if you want only certain attributes, you can filter using the --include option:

$ vt file behaviours f181fdeca6547a1c826f6c2999fd7b61bb8e492eb4e6611a0472bbb3b15fa1d9 --include services_opened,services_started
- services_opened: 
  - "PcaSvc"
  - "WinDefend"
  services_started: 
  - "WSearch"
  - "msiserver"
  - "SecurityHealthService"
  - "PcaSvc"

I hope it helps.

Regards,
Marta

Answer 2 · 2024-09-16T15:26:53.000Z

I'm closing this issue for the moment, feel free to reopen if necessary.