Full list of Google Threat Intelligence tag modifier

One of the search modifiers available in Google Threat Intelligence is "tag". This modifier will search for files tagged with the literal provided. Google Threat Intelligence adds tags to all files processed based on hundreds of factors depending on the type of file, information extracted, behaviour, etc.

You can find the description and examples of the most common tags at the File search modifiers article.

List of Domains tags.

List of Files tags.

List of IPs tags.

List of URLs tags.

List of deprecated tags.

List of Domains tags


alternative-dnsdgadynamic-dnshex
non-asciinxdomainpotential-c2self-signed

List of Files tags


32bits32lite64bitsabused-exe-pattern
acidcryptacprotectacroformactivemark
aes-encodedahpackainexealexprotector
alloyalternative-dnsaluwainanorganix
anskyaanti-analysisanywhereapatch
apexapfsapkarm
armadilloarscas2as3
aspackasprotectassemblyattachment
auto-closeauto-createauto-modifyauto-open
autoactionaxmlbambambase64-embedded
base64-stringberiaberoblade
blobbobsoftcalls-wmicapabilities
cdcopscexechecks-bioschecks-cpu-name
checks-disk-spacechecks-gpschecks-hostnamechecks-memory-available
checks-network-adapterschecks-usb-buschecks-user-inputchecks_gps
cicompresscipherwallclipboardcode injection
code-injectioncodelockcodesafecompack
contains-apkcontains-debcontains-dmgcontains-drv
contains-elfcontains-embedded-jscontains-machocontains-msi
contains-pecontains-romcontains-zipcopy-file
coredumpcorruptcorruptedcreate-dir
create-filecreate-olecreateinstallcrinkler
crunchcrypkeycryptcrypto
cryptzcrypwrapcydiadbpe
ddemdell-pfsdepackdetect-debug-environment
detect_debug_environmentdexdiminisherdingboy
diprotectordirect-cpu-clock-accessdjoindomain-pattern
dos-stubdownloaddropperdshield
dxpackdyn-callsdyn-classefi
email-patternemail-spamembedpeempty
encryptedencryptpeenigmaenum-windows
environescargoteval-functionexe-embedded
exe-patternexe32packexecryptorexecutes-dropped-file
exeguarderexejoinerexelockerexepack
exepackerexeshieldexesmasherexestealth
exploitexploit-kitexpressorext-interface
ext-prgezipfaultyfeokpt
file-embeddedfixuppakflash-embeddedfres
freshbindfrusionfscommandfsg
ftpftp-communicationfucknjoyfusion
gamehousegleamgoatsgoodware
gpthackstophandle-filehash-collision
haspheap-sprayhfshide-app
hiding-windowhigh-entropyhoneypothosts-modifier
html-controlidleiframeimpostor
installshieldinstallstubintel-meinvalid-rich-pe-checksum
invalid-rich-pe-duplicated-entriesinvalid-rich-pe-linker-versioninvalid-rich-pe-modified-iatinvalid-signature
invalid-xrefiosipbprotectipv4-pattern
ircirc-communicationjdpackjs-embedded
jspackkbyskgcryptkkrunchy
known-distributorkrunchykryptonkryptor
lamecryptlarge-filelaunch-actionlcc
legitliblicenseloadbytes
locklesslolbinlong-base64long-command-line-arguments
long-hexlong-sleepsltclzexe
lzmamac-appmac-cmd-embeddermac-publisher
macro-anti-analysismacro-create-olemacro-powershellmacro-run-file
macrosmalformedmalwarematcho
meta-redirectmewmicrojoinermmbuilder
mobile-substratemoleboxmorphinemulti-arch
mysqlmysql-communicationnakedpacknative
neolitenfoniceprotectnoodlecrypt
northstarnpacknsisnspack
nsrlntkrnlnullsoftnxdomain
obfuscatedobsidiumodexole-autolink
ole-controlole-embeddedole-linkopen-file
opendirorienos-checkingoverlay
pack200packmanpackmasterpassword-dialog
password-inputpasswordprotectorpcguardpcshrinker
pe-armorpearmorpebundlepecompact
pecrc32pecrypt32pelockpemangle
penightmarepeninjapepackpeprotect
persistencepeshieldpeshitpespin
petitepexpiritpklite
pklite32polyenepostinstpostrm
preinstprermpunisherquarantined
radpackrar-embeddedrcryptorreflection
registryrelocatablerepeated-clock-accessrevoked-cert
rlpackrun-dllrun-fileruntime-modules
save-workbooksdprotectsdprotectorself-delete
send-keyssends-smsservice-scansets-process-name
shared-libshellcodesignedsimplepack
smtpsmtp-communicationsoftdefendersoftware-collection
spreadersshssh-communicationstarforce
startup-folderstealthstonessudo
suspicious-dnssuspicious-eipsuspicious-udpsvkprotector
system-librarytar-bundletelephonytelnet
telnet-communicationtelockthemidathinstall
tlpacktrojantrustedtunneling
uefiupackupxurl-pattern
usb-autorunvcasmvia-torvirogen
webcopswinrarwinzipwise
wormwrite-filewwpackxcr
xorcryptxwsyodayodaprot
yodaprotectzcodezero-filledzip-embedded
zipped

List of IPs tags


link-localloopbackmulticastprivate
proxyreservedself-signedsuspicious-udp
torunspecifiedvpn

List of URLs tags


32-bitadwareagentteslaandromeda
apkarmavemariaazorult
b-tdsbase64-embeddedbashlitebat
bazaloaderbazarcallbazarloaderblocked-waf
cerberclipboard-readwritecloned-websitecoinminer
contains-apkcontains-dmgcontains-msicontains-pe
contains-zipcrypmodddos botdll
docdom-modificationdownloaderdownloads-apk
downloads-dmgdownloads-docdownloads-elfdownloads-pdf
downloads-pedownloads-zipdridexelf
emotetencodedencryptedepoch1
epoch2exeexploitexternal-resources
finderbotflubotformbookgafgyt
geofencedgluptebagoziguloader
hajimehancitorheodohtml
icedidiframesipisfb
itakovterlokilokibot
maldocmalwaremeta-redirectmikoponi
mipsmiraimozimultiple-redirects
nanocoreneshtanetwirenjrat
non-asciins-portopendirpassword-input
phishingphorpiexproxy-authpylocky
qakbotqbotqr-codequakbot
raccoonratredlinestealerremcos
remcosratriskwarescriptscript-load
shellscriptsilentbuildersloadsnakekeylogger
third-party-cookiestrtrackerstrickbot
ursnifwebshellxlsxlsb
zenpakzipzloaderzusy

List of deprecated tags


invalid-rich-pe-checksuminvalid-rich-pe-duplicated-entriesinvalid-rich-pe-linker-version
invalid-rich-pe-modified-iatnsrltrusted