Actionable Threat Intel (VI) - A day in a Threat Hunter's life

This VirusTotal blog walks through converting Kaspersky CTI findings into actionable hunting queries and Livehunt YARA rules: it demonstrates hunts for Start-BitsTransfer-based downloads and base64 decoding, WMI event subscription persistence (including searching for ExecutablePath usage), and PowerShell binary memory injection patterns. The post shows example VTI queries, links to observed samples (some tied to APT33, Konni, APT37 and other groups), and provides YARA rules and sigma references to automate monitoring and detection of these TTPs.