+9Hello all,
Can GTI be used to determine whether a certain IP or domain is linked to bulletproof hosting or commercial VPN services?
Alternatively, is it possible to enrich IPs or domains with any ports or services being run/open on them? Akin to what this Microsoft endpoint would do - https://learn.microsoft.com/en-us/graph/api/resources/security-hostport?view=graph-rest-1.0
Best answer by Rob_P
Hello
Thanks for checking in on this use case and question. After looking deeper into this for you, I was able to find the following which may be useful:
Currently, we don't have any direct Tags which align directly to Bulletproof Hosting. We do have some Advanced IOC Search tags which can be used, or would be seen when looking up an IP or domain.
For VPN and TOR Infrastructure
Indirect Modifiers for Bulletproof Hosting (BPH)
Since "bulletproof" is a business model rather than a technical protocol, you must search for indicators of the providers known to host such services:
The Summary tab often lists the "Category" of the domain (e.g., proxy-anonymizer or malicious-content) and its GTI Assessment. This is where you will see explicit labels for low-reputation VPNs or TOR nodes.
Now to your 2nd question:
To see open ports and services (similar to the Microsoft Graph endpoint):
Navigate to the Detailed Report for the IP.
Look for the "Services" or "Open Ports" section. GTI aggregates information from global scanning and telemetry to show which ports (e.g., 22/SSH, 3389/RDP) were active and what service banners were detected.
Please note you cannot manually initiate a full scan against these networks for all 65K ports. Even with trying to use ASM, you are not allowed to scan infrastructure that you do not own using that GTI Module, and there is a limitation to the number of ports ASM will scan, it will not scan all 65K ports.
In Summary, you would use the following examples to help you hunt down and identify the malicious infrastructure you’re trying to identify:
| Target | Search Bar Query |
|---|---|
| Active TOR Nodes | entity:ip tag:tor |
| VPN Infrastructure | entity:ip tag:vpn |
| Suspicious BPH Range | entity:ip aso:"PROSPERO" p:5+ |
| High-Risk Domains | entity:domain gti_score:80+ |
I’d also suggest to includ the p:1+ (positives) in your queries to focus on indicators that have been flagged by at least one security engine.
Additionally, here are some references for all the tagging and advanced IOC Search modifiers.
https://gtidocs.virustotal.com/docs/full-list-of-google-threat-intelligence-search-modifiers
https://gtidocs.virustotal.com/docs/full-list-of-google-threat-intelligence-tag-modifier
I hope this helps, let us know if you have any additional follow up questions.
Have a great day!
- Rob P
+8Hello
Thanks for checking in on this use case and question. After looking deeper into this for you, I was able to find the following which may be useful:
Currently, we don't have any direct Tags which align directly to Bulletproof Hosting. We do have some Advanced IOC Search tags which can be used, or would be seen when looking up an IP or domain.
For VPN and TOR Infrastructure
Indirect Modifiers for Bulletproof Hosting (BPH)
Since "bulletproof" is a business model rather than a technical protocol, you must search for indicators of the providers known to host such services:
The Summary tab often lists the "Category" of the domain (e.g., proxy-anonymizer or malicious-content) and its GTI Assessment. This is where you will see explicit labels for low-reputation VPNs or TOR nodes.
Now to your 2nd question:
To see open ports and services (similar to the Microsoft Graph endpoint):
Navigate to the Detailed Report for the IP.
Look for the "Services" or "Open Ports" section. GTI aggregates information from global scanning and telemetry to show which ports (e.g., 22/SSH, 3389/RDP) were active and what service banners were detected.
Please note you cannot manually initiate a full scan against these networks for all 65K ports. Even with trying to use ASM, you are not allowed to scan infrastructure that you do not own using that GTI Module, and there is a limitation to the number of ports ASM will scan, it will not scan all 65K ports.
In Summary, you would use the following examples to help you hunt down and identify the malicious infrastructure you’re trying to identify:
| Target | Search Bar Query |
|---|---|
| Active TOR Nodes | entity:ip tag:tor |
| VPN Infrastructure | entity:ip tag:vpn |
| Suspicious BPH Range | entity:ip aso:"PROSPERO" p:5+ |
| High-Risk Domains | entity:domain gti_score:80+ |
I’d also suggest to includ the p:1+ (positives) in your queries to focus on indicators that have been flagged by at least one security engine.
Additionally, here are some references for all the tagging and advanced IOC Search modifiers.
https://gtidocs.virustotal.com/docs/full-list-of-google-threat-intelligence-search-modifiers
https://gtidocs.virustotal.com/docs/full-list-of-google-threat-intelligence-tag-modifier
I hope this helps, let us know if you have any additional follow up questions.
Have a great day!
- Rob P
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
