One of the search modifiers available in Google Threat Intelligence is "tag". This modifier will search for files tagged with the literal provided. Google Threat Intelligence adds tags to all files processed based on hundreds of factors depending on the type of file, information extracted, behaviour, etc.
You can find the description and examples of the most common tags at the File search modifiers article.
List of Domains tags.
List of Files tags.
List of IPs tags.
List of URLs tags.
List of deprecated tags.
| | | |
---|
alternative-dns | dga | dynamic-dns | hex |
non-ascii | nxdomain | potential-c2 | self-signed |
| | | |
---|
32bits | 32lite | 64bits | abused-exe-pattern |
acidcrypt | acprotect | acroform | activemark |
aes-encoded | ahpack | ainexe | alexprotector |
alloy | alternative-dns | aluwain | anorganix |
anskya | anti-analysis | anywhere | apatch |
apex | apfs | apk | arm |
armadillo | arsc | as2 | as3 |
aspack | asprotect | assembly | attachment |
auto-close | auto-create | auto-modify | auto-open |
autoaction | axml | bambam | base64-embedded |
base64-string | beria | bero | blade |
blob | bobsoft | calls-wmi | capabilities |
cdcops | cexe | checks-bios | checks-cpu-name |
checks-disk-space | checks-gps | checks-hostname | checks-memory-available |
checks-network-adapters | checks-usb-bus | checks-user-input | checks_gps |
cicompress | cipherwall | clipboard | code injection |
code-injection | codelock | codesafe | compack |
contains-apk | contains-deb | contains-dmg | contains-drv |
contains-elf | contains-embedded-js | contains-macho | contains-msi |
contains-pe | contains-rom | contains-zip | copy-file |
coredump | corrupt | corrupted | create-dir |
create-file | create-ole | createinstall | crinkler |
crunch | crypkey | crypt | crypto |
cryptz | crypwrap | cydia | dbpe |
ddem | dell-pfs | depack | detect-debug-environment |
detect_debug_environment | dex | diminisher | dingboy |
diprotector | direct-cpu-clock-access | djoin | domain-pattern |
dos-stub | download | dropper | dshield |
dxpack | dyn-calls | dyn-class | efi |
email-pattern | email-spam | embedpe | empty |
encrypted | encryptpe | enigma | enum-windows |
environ | escargot | eval-function | exe-embedded |
exe-pattern | exe32pack | execryptor | executes-dropped-file |
exeguarder | exejoiner | exelocker | exepack |
exepacker | exeshield | exesmasher | exestealth |
exploit | exploit-kit | expressor | ext-interface |
ext-prg | ezip | faulty | feokpt |
file-embedded | fixuppak | flash-embedded | fres |
freshbind | frusion | fscommand | fsg |
ftp | ftp-communication | fucknjoy | fusion |
gamehouse | gleam | goats | goodware |
gpt | hackstop | handle-file | hash-collision |
hasp | heap-spray | hfs | hide-app |
hiding-window | high-entropy | honeypot | hosts-modifier |
html-control | idle | iframe | impostor |
installshield | installstub | intel-me | invalid-rich-pe-checksum |
invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version | invalid-rich-pe-modified-iat | invalid-signature |
invalid-xref | ios | ipbprotect | ipv4-pattern |
irc | irc-communication | jdpack | js-embedded |
jspack | kbys | kgcrypt | kkrunchy |
known-distributor | krunchy | krypton | kryptor |
lamecrypt | large-file | launch-action | lcc |
legit | lib | license | loadbytes |
lockless | lolbin | long-base64 | long-command-line-arguments |
long-hex | long-sleeps | ltc | lzexe |
lzma | mac-app | mac-cmd-embedder | mac-publisher |
macro-anti-analysis | macro-create-ole | macro-powershell | macro-run-file |
macros | malformed | malware | matcho |
meta-redirect | mew | microjoiner | mmbuilder |
mobile-substrate | molebox | morphine | multi-arch |
mysql | mysql-communication | nakedpack | native |
neolite | nfo | niceprotect | noodlecrypt |
northstar | npack | nsis | nspack |
nsrl | ntkrnl | nullsoft | nxdomain |
obfuscated | obsidium | odex | ole-autolink |
ole-control | ole-embedded | ole-link | open-file |
opendir | orien | os-checking | overlay |
pack200 | packman | packmaster | password-dialog |
password-input | passwordprotector | pcguard | pcshrinker |
pe-armor | pearmor | pebundle | pecompact |
pecrc32 | pecrypt32 | pelock | pemangle |
penightmare | peninja | pepack | peprotect |
persistence | peshield | peshit | pespin |
petite | pex | pirit | pklite |
pklite32 | polyene | postinst | postrm |
preinst | prerm | punisher | quarantined |
radpack | rar-embedded | rcryptor | reflection |
registry | relocatable | repeated-clock-access | revoked-cert |
rlpack | run-dll | run-file | runtime-modules |
save-workbook | sdprotect | sdprotector | self-delete |
send-keys | sends-sms | service-scan | sets-process-name |
shared-lib | shellcode | signed | simplepack |
smtp | smtp-communication | softdefender | software-collection |
spreader | ssh | ssh-communication | starforce |
startup-folder | stealth | stones | sudo |
suspicious-dns | suspicious-eip | suspicious-udp | svkprotector |
system-library | tar-bundle | telephony | telnet |
telnet-communication | telock | themida | thinstall |
tlpack | trojan | trusted | tunneling |
uefi | upack | upx | url-pattern |
usb-autorun | vcasm | via-tor | virogen |
webcops | winrar | winzip | wise |
worm | write-file | wwpack | xcr |
xorcrypt | xws | yoda | yodaprot |
yodaprotect | zcode | zero-filled | zip-embedded |
zipped | | | |
| | | |
---|
link-local | loopback | multicast | private |
proxy | reserved | self-signed | suspicious-udp |
tor | unspecified | vpn | |
| | | |
---|
32-bit | adware | agenttesla | andromeda |
apk | arm | avemaria | azorult |
b-tds | base64-embedded | bashlite | bat |
bazaloader | bazarcall | bazarloader | blocked-waf |
cerber | clipboard-readwrite | cloned-website | coinminer |
contains-apk | contains-dmg | contains-msi | contains-pe |
contains-zip | crypmod | ddos bot | dll |
doc | dom-modification | downloader | downloads-apk |
downloads-dmg | downloads-doc | downloads-elf | downloads-pdf |
downloads-pe | downloads-zip | dridex | elf |
emotet | encoded | encrypted | epoch1 |
epoch2 | exe | exploit | external-resources |
finderbot | flubot | formbook | gafgyt |
geofenced | glupteba | gozi | guloader |
hajime | hancitor | heodo | html |
icedid | iframes | ip | isfb |
ita | kovter | loki | lokibot |
maldoc | malware | meta-redirect | mikoponi |
mips | mirai | mozi | multiple-redirects |
nanocore | neshta | netwire | njrat |
non-ascii | ns-port | opendir | password-input |
phishing | phorpiex | proxy-auth | pylocky |
qakbot | qbot | qr-code | quakbot |
raccoon | rat | redlinestealer | remcos |
remcosrat | riskware | script | script-load |
shellscript | silentbuilder | sload | snakekeylogger |
third-party-cookies | tr | trackers | trickbot |
ursnif | webshell | xls | xlsb |
zenpak | zip | zloader | zusy |
| | |
---|
invalid-rich-pe-checksum | invalid-rich-pe-duplicated-entries | invalid-rich-pe-linker-version |
invalid-rich-pe-modified-iat | nsrl | trusted |