One of the search modifiers available in Google Threat Intelligence is "tag". This modifier will search for files tagged with the literal provided. Google Threat Intelligence adds tags to all files processed based on hundreds of factors depending on the type of file, information extracted, behaviour, etc.
You can find the description and examples of the most common tags at the File search modifiers article.
List of Domains tags.
List of Files tags.
List of IPs tags.
List of URLs tags.
List of deprecated tags.
| | | |
|---|
| alternative-dns | dga | dynamic-dns | hex |
| non-ascii | nxdomain | potential-c2 | self-signed |
| | | |
|---|
| 32bits | 32lite | 64bits | abused-exe-pattern |
| acidcrypt | acprotect | acroform | activemark |
| aes-encoded | ahpack | ainexe | alexprotector |
| alloy | alternative-dns | aluwain | anorganix |
| anskya | anti-analysis | anywhere | apatch |
| apex | apfs | apk | arm |
| armadillo | arsc | as2 | as3 |
| aspack | asprotect | assembly | attachment |
| auto-close | auto-create | auto-modify | auto-open |
| autoaction | axml | bambam | base64-embedded |
| base64-string | beria | bero | blade |
| blob | bobsoft | calls-wmi | capabilities |
| cdcops | cexe | checks-bios | checks-cpu-name |
| checks-disk-space | checks-gps | checks-hostname | checks-memory-available |
| checks-network-adapters | checks-usb-bus | checks-user-input | checks_gps |
| cicompress | cipherwall | clipboard | code injection |
| code-injection | codelock | codesafe | compack |
| contains-apk | contains-deb | contains-dmg | contains-drv |
| contains-elf | contains-embedded-js | contains-macho | contains-msi |
| contains-pe | contains-rom | contains-zip | copy-file |
| coredump | corrupt | corrupted | create-dir |
| create-file | create-ole | createinstall | crinkler |
| crunch | crypkey | crypt | crypto |
| cryptz | crypwrap | cydia | dbpe |
| ddem | dell-pfs | depack | detect-debug-environment |
| detect_debug_environment | dex | diminisher | dingboy |
| diprotector | direct-cpu-clock-access | djoin | domain-pattern |
| dos-stub | download | dropper | dshield |
| dxpack | dyn-calls | dyn-class | efi |
| email-pattern | email-spam | embedpe | empty |
| encrypted | encryptpe | enigma | enum-windows |
| environ | escargot | eval-function | exe-embedded |
| exe-pattern | exe32pack | execryptor | executes-dropped-file |
| exeguarder | exejoiner | exelocker | exepack |
| exepacker | exeshield | exesmasher | exestealth |
| exploit | exploit-kit | expressor | ext-interface |
| ext-prg | ezip | faulty | feokpt |
| file-embedded | fixuppak | flash-embedded | fres |
| freshbind | frusion | fscommand | fsg |
| ftp | ftp-communication | fucknjoy | fusion |
| gamehouse | gleam | goats | goodware |
| gpt | hackstop | handle-file | hash-collision |
| hasp | heap-spray | hfs | hide-app |
| hiding-window | high-entropy | honeypot | hosts-modifier |
| html-control | idle | iframe | impostor |
| installshield | installstub | intel-me | invalid-rich-pe-checksum |
| invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version | invalid-rich-pe-modified-iat | invalid-signature |
| invalid-xref | ios | ipbprotect | ipv4-pattern |
| irc | irc-communication | jdpack | js-embedded |
| jspack | kbys | kgcrypt | kkrunchy |
| known-distributor | krunchy | krypton | kryptor |
| lamecrypt | large-file | launch-action | lcc |
| legit | lib | license | loadbytes |
| lockless | lolbin | long-base64 | long-command-line-arguments |
| long-hex | long-sleeps | ltc | lzexe |
| lzma | mac-app | mac-cmd-embedder | mac-publisher |
| macro-anti-analysis | macro-create-ole | macro-powershell | macro-run-file |
| macros | malformed | malware | matcho |
| meta-redirect | mew | microjoiner | mmbuilder |
| mobile-substrate | molebox | morphine | multi-arch |
| mysql | mysql-communication | nakedpack | native |
| neolite | nfo | niceprotect | noodlecrypt |
| northstar | npack | nsis | nspack |
| nsrl | ntkrnl | nullsoft | nxdomain |
| obfuscated | obsidium | odex | ole-autolink |
| ole-control | ole-embedded | ole-link | open-file |
| opendir | orien | os-checking | overlay |
| pack200 | packman | packmaster | password-dialog |
| password-input | passwordprotector | pcguard | pcshrinker |
| pe-armor | pearmor | pebundle | pecompact |
| pecrc32 | pecrypt32 | pelock | pemangle |
| penightmare | peninja | pepack | peprotect |
| persistence | peshield | peshit | pespin |
| petite | pex | pirit | pklite |
| pklite32 | polyene | postinst | postrm |
| preinst | prerm | punisher | quarantined |
| radpack | rar-embedded | rcryptor | reflection |
| registry | relocatable | repeated-clock-access | revoked-cert |
| rlpack | run-dll | run-file | runtime-modules |
| save-workbook | sdprotect | sdprotector | self-delete |
| send-keys | sends-sms | service-scan | sets-process-name |
| shared-lib | shellcode | signed | simplepack |
| smtp | smtp-communication | softdefender | software-collection |
| spreader | ssh | ssh-communication | starforce |
| startup-folder | stealth | stones | sudo |
| suspicious-dns | suspicious-eip | suspicious-udp | svkprotector |
| system-library | tar-bundle | telephony | telnet |
| telnet-communication | telock | themida | thinstall |
| tlpack | trojan | trusted | tunneling |
| uefi | upack | upx | url-pattern |
| usb-autorun | vcasm | via-tor | virogen |
| webcops | winrar | winzip | wise |
| worm | write-file | wwpack | xcr |
| xorcrypt | xws | yoda | yodaprot |
| yodaprotect | zcode | zero-filled | zip-embedded |
| zipped | | | |
| | | |
|---|
| link-local | loopback | multicast | private |
| proxy | reserved | self-signed | suspicious-udp |
| tor | unspecified | vpn | |
| | | |
|---|
| 32-bit | adware | agenttesla | andromeda |
| apk | arm | avemaria | azorult |
| b-tds | base64-embedded | bashlite | bat |
| bazaloader | bazarcall | bazarloader | blocked-waf |
| cerber | clipboard-readwrite | cloned-website | coinminer |
| contains-apk | contains-dmg | contains-msi | contains-pe |
| contains-zip | crypmod | ddos bot | dll |
| doc | dom-modification | downloader | downloads-apk |
| downloads-dmg | downloads-doc | downloads-elf | downloads-pdf |
| downloads-pe | downloads-zip | dridex | elf |
| emotet | encoded | encrypted | epoch1 |
| epoch2 | exe | exploit | external-resources |
| finderbot | flubot | formbook | gafgyt |
| geofenced | glupteba | gozi | guloader |
| hajime | hancitor | heodo | html |
| icedid | iframes | ip | isfb |
| ita | kovter | loki | lokibot |
| maldoc | malware | meta-redirect | mikoponi |
| mips | mirai | mozi | multiple-redirects |
| nanocore | neshta | netwire | njrat |
| non-ascii | ns-port | opendir | password-input |
| phishing | phorpiex | proxy-auth | pylocky |
| qakbot | qbot | qr-code | quakbot |
| raccoon | rat | redlinestealer | remcos |
| remcosrat | riskware | script | script-load |
| shellscript | silentbuilder | sload | snakekeylogger |
| third-party-cookies | tr | trackers | trickbot |
| ursnif | webshell | xls | xlsb |
| zenpak | zip | zloader | zusy |
| | |
|---|
| invalid-rich-pe-checksum | invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version |
| invalid-rich-pe-modified-iat | nsrl | trusted |
