Full list of Google Threat Intelligence tag modifier

One of the search modifiers available in Google Threat Intelligence is "tag". This modifier will search for files tagged with the literal provided. Google Threat Intelligence adds tags to all files processed based on hundreds of factors depending on the type of file, information extracted, behaviour, etc.

You can find the description and examples of the most common tags at the File search modifiers article.

List of Domains tags.

List of Files tags.

List of IPs tags.

List of URLs tags.

List of deprecated tags.

List of Domains tags


alternative-dnsdgadynamic-dnshex
non-asciinxdomainpotential-c2self-signed

List of Files tags


32lite64bitsabused-exe-patternacidcrypt
acprotectacroformactivemarkaes-encoded
ahpackainexealexprotectoralloy
alternative-dnsaluwainanorganixanskya
anti-analysisanywhereapatchapex
apfsapkarmarmadillo
arscas2as3aspack
asprotectassemblyattachmentauto-close
auto-createauto-modifyauto-openautoaction
axmlbambambase64-embeddedbase64-string
beriaberobladeblob
bobsoftcalls-wmicapabilitiescdcops
certified-goodwarecexechecks-bioschecks-cpu-name
checks-disk-spacechecks-gpschecks-hostnamechecks-memory-available
checks-network-adapterschecks-usb-buschecks-user-inputchecks_gps
cicompresscipherwallclipboardcode injection
code-injectioncodelockcodesafecompack
contains-apkcontains-debcontains-dmgcontains-drv
contains-elfcontains-embedded-jscontains-machocontains-msi
contains-pecontains-romcontains-zipcopy-file
coredumpcorruptcorruptedcreate-dir
create-filecreate-olecreateinstallcrinkler
crunchcrypkeycryptcrypto
cryptzcrypwrapcydiadbpe
ddemdell-pfsdepackdetect-debug-environment
detect_debug_environmentdexdiminisherdingboy
diprotectordirect-cpu-clock-accessdjoindomain-pattern
dos-stubdownloaddropperdshield
dxpackdyn-callsdyn-classefi
email-patternemail-spamembedpeempty
encryptedencryptpeenigmaenum-windows
environescargoteval-functionexe-embedded
exe-patternexe32packexecryptorexecutes-dropped-file
exeguarderexejoinerexelockerexepack
exepackerexeshieldexesmasherexestealth
exploitexploit-kitexpressorext-interface
ext-prgezipfaultyfeokpt
file-embeddedfixuppakflash-embeddedfres
freshbindfrusionfscommandfsg
ftpftp-communicationfucknjoyfusion
gamehousegleamgoatsgoodware
gpthackstophandle-filehash-collision
haspheap-sprayhfshide-app
hiding-windowhigh-entropyhoneypothosts-modifier
html-controlidleiframeimpostor
installshieldinstallstubintel-meinvalid-rich-pe-checksum
invalid-rich-pe-duplicated-entriesinvalid-rich-pe-linker-versioninvalid-rich-pe-modified-iatinvalid-signature
invalid-xrefiosipbprotectipv4-pattern
ircirc-communicationjdpackjs-embedded
jspackkbyskgcryptkkrunchy
known-distributorkrunchykryptonkryptor
lamecryptlarge-filelaunch-actionlcc
legitliblicenseloadbytes
locklesslolbinlong-base64long-command-line-arguments
long-hexlong-sleepsltclzexe
lzmamac-appmac-cmd-embeddermac-publisher
macro-anti-analysismacro-create-olemacro-powershellmacro-run-file
macrosmalformedmalwarematcho
mewmicrojoinermmbuildermobile-substrate
moleboxmorphinemulti-archmysql
mysql-communicationnakedpacknativeneolite
nfoniceprotectnoodlecryptnorthstar
npacknsisnspacknsrl
ntkrnlnullsoftnxdomainobfuscated
obsidiumodexole-autolinkole-control
ole-embeddedole-linkopen-fileopendir
orienos-checkingoverlaypack200
packmanpackmasterpassword-dialogpasswordprotector
pcguardpcshrinkerpe-armorpearmor
pebundlepecompactpecrc32pecrypt32
pelockpemanglepenightmarepeninja
pepackpeprotectpersistencepeshield
peshitpespinpetitepex
piritpklitepklite32polyene
postinstpostrmpreinstprerm
punisherradpackrar-embeddedrcryptor
reflectionregistryrelocatablerepeated-clock-access
revoked-certrlpackrun-dllrun-file
runtime-modulessave-workbooksdprotectsdprotector
self-deletesend-keyssends-smsservice-scan
sets-process-nameshared-libshellcodesigned
simplepacksmtpsmtp-communicationsoftdefender
software-collectionspreadersshssh-communication
starforcestartup-folderstealthstones
sudosuspicious-dnssuspicious-eipsuspicious-udp
svkprotectorsystem-librarytar-bundletelephony
telnettelnet-communicationtelockthemida
thinstalltlpacktrojantrusted
tunnelinguefiupackupx
url-patternusb-autorunvcasmvia-tor
virogenwebcopswinrarwinzip
wisewormwrite-filewwpack
xcrxorcryptyodayodaprot
yodaprotectzcodezero-filledzip-embedded
zipped

List of IPs tags


link-localloopbackmulticastprivate
proxyreservedself-signedsuspicious-udp
torunspecifiedvpn

List of URLs tags


32-bitadwareagentteslaandromeda
apkarmavemariaazorult
b-tdsbase64-embeddedbashlitebat
bazaloaderbazarcallbazarloadercerber
coinminercontains-apkcontains-dmgcontains-msi
contains-pecontains-zipcrypmodddos bot
dlldocdownloaderdownloads-apk
downloads-dmgdownloads-docdownloads-elfdownloads-pdf
downloads-pedownloads-zipdridexelf
emotetencodedencryptedepoch1
epoch2exeexploitfinderbot
flubotformbookgafgytgeofenced
gluptebagoziguloaderhajime
hancitorheodohtmlicedid
ipisfbitakovter
lokilokibotmaldocmalware
mikoponimipsmiraimozi
multiple-redirectsnanocoreneshtanetwire
njratnon-asciins-portopendir
phorpiexpylockyqakbotqbot
quakbotraccoonratredlinestealer
remcosremcosratriskwarescript
shellscriptsilentbuildersloadsnakekeylogger
trtrickbotursnifwebshell
xlsxlsbzenpakzip
zloaderzusy

List of deprecated tags


invalid-rich-pe-checksuminvalid-rich-pe-duplicated-entriesinvalid-rich-pe-linker-version
invalid-rich-pe-modified-iatnsrltrusted