For details on how to perform searches, get some help.
ElasticSearch queries do not use a prefix. ie: '*windows.*' would match 'time.windows.com'
For MD5, SHA1, SHA3 SHA256 and SHA512 no prefix is needed(will match any file generated by this analysis as binary/dropped/CAPEdump/etc).
| Prefix | Description |
|---|---|
target_sha256: |
sha256 |
configs: |
Family name |
id: |
task_id, Example: id:1 |
ids: |
task_ids, Example: ids:1,2,3,4,5 |
options: |
x=y, Example: options:function=DllMain |
tags_tasks: |
my_tag, Example: tags_tasks:mytag |
package: |
package, Example: package:ps1 |
name: |
File name pattern |
type: |
File type/format |
ssdeep: |
Fuzzy hash |
crc32: |
CRC32 hash |
imphash: |
Search for PE Imphash |
iconhash: |
Search for exact hash of the icon associated with the PE |
iconfuzzy: |
Search for hash designed to match on similar-looking icons |
file: |
Open files matching the pattern |
command: |
Executed commands matching the pattern |
resolvedapi: |
APIs resolved at runtime matching the pattern |
key: |
Open registry keys matching the pattern |
mutex: |
Open mutexes matching the pattern |
sport: |
Source port. Ex: sport:X |
dport: |
Destination port. Ex: dport:443 |
port: |
Search in Source and Destination ports. Ex port:x |
ip: |
Contact the specified IP address |
domain: |
Contact the specified domain |
url: |
Search for CAPE Sandbox URL analysis |
signame: |
Search for CAPE Sandbox signatures through signature names |
signature: |
Search for CAPE Sandbox signatures through signature descriptions |
detections: |
Search for samples associated with malware family |
surimsg: |
Search for Suricata Alerts MSG |
surialert: |
Search for Suricata Alerts |
surisid: |
Search for Suricata Alerts SID |
suriurl: |
Search for URL in Suricata HTTP Logs |
suriua: |
Search for User-Agent in Suricata HTTP Logs |
surireferrer: |
Search for Referrer in Suricata HTTP Logs |
surihhost: |
Search for Host in Suricata HTTP Logs |
suritlssubject: |
Search for TLS Subject in Suricata TLS Logs |
suritlsissuerdn: |
Search for TLS Issuer DN in Suricata TLS Logs |
suritlsfingerprint: |
Search for TLS Fingerprint in Suricata TLS Logs |
suritls: |
Search for Suricata TLS |
surihttp: |
Search for Suricata HTTP |
ja3_string: |
Search for ja3 string |
ja3_hash: |
Search for ja3 hash |
clamav: |
Local ClamAV detections |
yaraname: |
Yara Rule Name for analysis samples (from binary folder) |
capeyara: |
Yara Rule Name for CAPE Yara hits (from cape folder) |
procdumpyara: |
Yara Rule Name for process dumps |
procmemyara: |
Yara Rule Name for process memory dumps |
virustotal: |
Virus Total Detected Name |
machinename: |
Name of the Target Machine |
machinelabel: |
Label of the Target Machine |
custom: |
Custom data |
shrikemsg: |
Shrike Suri Alert MSG |
shrikesid: |
Shrike Suri Alert Sid (exact int) |
shrikeurl: |
Shrike url before mangling |
shrikerefer: |
Shrike Referrer |
comment: |
Search for Analysis Comments |
malscore: |
Search for Malscore greater than the value |
ttp: |
TTP id, Ex: T1053 |
dhash: |
hash |
die: |
keyboard, Ex die:obsidium |
extracted_tool: |
keyboard, Ex extracted_tool:InnoExtract. See file_extra_info.py for the rest of the tool names |
asn: |
AS ID, Ex asn:AS15169 |
asn_name: |
ASN name, Ex: asn_name:Google LLC |