One of the search modifiers available in Google Threat Intelligence is "tag". This modifier will search for files tagged with the literal provided. Google Threat Intelligence adds tags to all files processed based on hundreds of factors depending on the type of file, information extracted, behaviour, etc.
You can find the description and examples of the most common tags at the File search modifiers article.
List of Domains tags.
List of Files tags.
List of IPs tags.
List of URLs tags.
List of deprecated tags.
| | | |
---|
alternative-dns | dga | dynamic-dns | hex |
non-ascii | nxdomain | potential-c2 | self-signed |
| | | |
---|
32lite | 64bits | abused-exe-pattern | acidcrypt |
acprotect | acroform | activemark | aes-encoded |
ahpack | ainexe | alexprotector | alloy |
alternative-dns | aluwain | anorganix | anskya |
anti-analysis | anywhere | apatch | apex |
apfs | apk | arm | armadillo |
arsc | as2 | as3 | aspack |
asprotect | assembly | attachment | auto-close |
auto-create | auto-modify | auto-open | autoaction |
axml | bambam | base64-embedded | base64-string |
beria | bero | blade | blob |
bobsoft | calls-wmi | capabilities | cdcops |
certified-goodware | cexe | checks-bios | checks-cpu-name |
checks-disk-space | checks-gps | checks-hostname | checks-memory-available |
checks-network-adapters | checks-usb-bus | checks-user-input | checks_gps |
cicompress | cipherwall | clipboard | code injection |
code-injection | codelock | codesafe | compack |
contains-apk | contains-deb | contains-dmg | contains-drv |
contains-elf | contains-embedded-js | contains-macho | contains-msi |
contains-pe | contains-rom | contains-zip | copy-file |
coredump | corrupt | corrupted | create-dir |
create-file | create-ole | createinstall | crinkler |
crunch | crypkey | crypt | crypto |
cryptz | crypwrap | cydia | dbpe |
ddem | dell-pfs | depack | detect-debug-environment |
detect_debug_environment | dex | diminisher | dingboy |
diprotector | direct-cpu-clock-access | djoin | domain-pattern |
dos-stub | download | dropper | dshield |
dxpack | dyn-calls | dyn-class | efi |
email-pattern | email-spam | embedpe | empty |
encrypted | encryptpe | enigma | enum-windows |
environ | escargot | eval-function | exe-embedded |
exe-pattern | exe32pack | execryptor | executes-dropped-file |
exeguarder | exejoiner | exelocker | exepack |
exepacker | exeshield | exesmasher | exestealth |
exploit | exploit-kit | expressor | ext-interface |
ext-prg | ezip | faulty | feokpt |
file-embedded | fixuppak | flash-embedded | fres |
freshbind | frusion | fscommand | fsg |
ftp | ftp-communication | fucknjoy | fusion |
gamehouse | gleam | goats | goodware |
gpt | hackstop | handle-file | hash-collision |
hasp | heap-spray | hfs | hide-app |
hiding-window | high-entropy | honeypot | hosts-modifier |
html-control | idle | iframe | impostor |
installshield | installstub | intel-me | invalid-rich-pe-checksum |
invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version | invalid-rich-pe-modified-iat | invalid-signature |
invalid-xref | ios | ipbprotect | ipv4-pattern |
irc | irc-communication | jdpack | js-embedded |
jspack | kbys | kgcrypt | kkrunchy |
known-distributor | krunchy | krypton | kryptor |
lamecrypt | large-file | launch-action | lcc |
legit | lib | license | loadbytes |
lockless | lolbin | long-base64 | long-command-line-arguments |
long-hex | long-sleeps | ltc | lzexe |
lzma | mac-app | mac-cmd-embedder | mac-publisher |
macro-anti-analysis | macro-create-ole | macro-powershell | macro-run-file |
macros | malformed | malware | matcho |
mew | microjoiner | mmbuilder | mobile-substrate |
molebox | morphine | multi-arch | mysql |
mysql-communication | nakedpack | native | neolite |
nfo | niceprotect | noodlecrypt | northstar |
npack | nsis | nspack | nsrl |
ntkrnl | nullsoft | nxdomain | obfuscated |
obsidium | odex | ole-autolink | ole-control |
ole-embedded | ole-link | open-file | opendir |
orien | os-checking | overlay | pack200 |
packman | packmaster | password-dialog | passwordprotector |
pcguard | pcshrinker | pe-armor | pearmor |
pebundle | pecompact | pecrc32 | pecrypt32 |
pelock | pemangle | penightmare | peninja |
pepack | peprotect | persistence | peshield |
peshit | pespin | petite | pex |
pirit | pklite | pklite32 | polyene |
postinst | postrm | preinst | prerm |
punisher | radpack | rar-embedded | rcryptor |
reflection | registry | relocatable | repeated-clock-access |
revoked-cert | rlpack | run-dll | run-file |
runtime-modules | save-workbook | sdprotect | sdprotector |
self-delete | send-keys | sends-sms | service-scan |
sets-process-name | shared-lib | shellcode | signed |
simplepack | smtp | smtp-communication | softdefender |
software-collection | spreader | ssh | ssh-communication |
starforce | startup-folder | stealth | stones |
sudo | suspicious-dns | suspicious-eip | suspicious-udp |
svkprotector | system-library | tar-bundle | telephony |
telnet | telnet-communication | telock | themida |
thinstall | tlpack | trojan | trusted |
tunneling | uefi | upack | upx |
url-pattern | usb-autorun | vcasm | via-tor |
virogen | webcops | winrar | winzip |
wise | worm | write-file | wwpack |
xcr | xorcrypt | yoda | yodaprot |
yodaprotect | zcode | zero-filled | zip-embedded |
zipped | | | |
| | | |
---|
link-local | loopback | multicast | private |
proxy | reserved | self-signed | suspicious-udp |
tor | unspecified | vpn | |
| | | |
---|
32-bit | adware | agenttesla | andromeda |
apk | arm | avemaria | azorult |
b-tds | base64-embedded | bashlite | bat |
bazaloader | bazarcall | bazarloader | cerber |
coinminer | contains-apk | contains-dmg | contains-msi |
contains-pe | contains-zip | crypmod | ddos bot |
dll | doc | downloader | downloads-apk |
downloads-dmg | downloads-doc | downloads-elf | downloads-pdf |
downloads-pe | downloads-zip | dridex | elf |
emotet | encoded | encrypted | epoch1 |
epoch2 | exe | exploit | finderbot |
flubot | formbook | gafgyt | geofenced |
glupteba | gozi | guloader | hajime |
hancitor | heodo | html | icedid |
ip | isfb | ita | kovter |
loki | lokibot | maldoc | malware |
mikoponi | mips | mirai | mozi |
multiple-redirects | nanocore | neshta | netwire |
njrat | non-ascii | ns-port | opendir |
phorpiex | pylocky | qakbot | qbot |
quakbot | raccoon | rat | redlinestealer |
remcos | remcosrat | riskware | script |
shellscript | silentbuilder | sload | snakekeylogger |
tr | trickbot | ursnif | webshell |
xls | xlsb | zenpak | zip |
zloader | zusy | | |
| | |
---|
invalid-rich-pe-checksum | invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version |
invalid-rich-pe-modified-iat | nsrl | trusted |