For details on how to perform searches, get some help.
ElasticSearch queries do not use a prefix. ie: '*windows.*' would match 'time.windows.com'
For MD5, SHA1, SHA3 SHA256 and SHA512 no prefix is needed(will match any file generated by this analysis as binary/dropped/CAPEdump/etc).
Prefix | Description |
---|---|
configs: |
Family name |
id: |
task_id, Example: id:1 |
ids: |
task_ids, Example: ids:1,2,3,4,5 |
options: |
x=y |
tags_tasks: |
my_tag, Example: tags_tasks:mytag |
name: |
File name pattern |
type: |
File type/format |
string: |
String contained in the binary |
ssdeep: |
Fuzzy hash |
crc32: |
CRC32 hash |
imphash: |
Search for PE Imphash |
iconhash: |
Search for exact hash of the icon associated with the PE |
iconfuzzy: |
Search for hash designed to match on similar-looking icons |
file: |
Open files matching the pattern |
command: |
Executed commands matching the pattern |
resolvedapi: |
APIs resolved at runtime matching the pattern |
key: |
Open registry keys matching the pattern |
mutex: |
Open mutexes matching the pattern |
sport: |
Source port. Ex: sport:X |
dport: |
Destination port. Ex: dport:443 |
port: |
Search in Source and Destination ports. Ex port:x |
ip: |
Contact the specified IP address |
domain: |
Contact the specified domain |
url: |
Search for CAPE Sandbox URL analysis |
signame: |
Search for CAPE Sandbox signatures through signature names |
signature: |
Search for CAPE Sandbox signatures through signature descriptions |
detections: |
Search for samples associated with malware family |
surimsg: |
Search for Suricata Alerts MSG |
surialert: |
Search for Suricata Alerts |
surisid: |
Search for Suricata Alerts SID |
suriurl: |
Search for URL in Suricata HTTP Logs |
suriua: |
Search for User-Agent in Suricata HTTP Logs |
surireferrer: |
Search for Referrer in Suricata HTTP Logs |
surihhost: |
Search for Host in Suricata HTTP Logs |
suritlssubject: |
Search for TLS Subject in Suricata TLS Logs |
suritlsissuerdn: |
Search for TLS Issuer DN in Suricata TLS Logs |
suritlsfingerprint: |
Search for TLS Fingerprint in Suricata TLS Logs |
suritls: |
Search for Suricata TLS |
surihttp: |
Search for Suricata HTTP |
ja3_string: |
Search for ja3 string |
ja3_hash: |
Search for ja3 hash |
clamav: |
Local ClamAV detections |
yaraname: |
Yara Rule Name for analysis samples |
capeyara: |
Yara Rule Name for CAPE Yara hits |
procmemyara: |
Yara Rule Name for process memory dumps |
virustotal: |
Virus Total Detected Name |
machinename: |
Name of the Target Machine |
machinelabel: |
Label of the Target Machine |
custom: |
Custom data |
shrikemsg: |
Shrike Suri Alert MSG |
shrikesid: |
Shrike Suri Alert Sid (exact int) |
shrikeurl: |
Shrike url before mangling |
shrikerefer: |
Shrike Referrer |
comment: |
Search for Analysis Comments |
malscore: |
Search for Malscore greater than the value |
ttp: |
TTP id, ex: T1053 |
payloads: to be depricated soon due to global search |
md5/sha1/sha3/sha256/sha512 |
dhash: |
hash |
die: |
keyboard, ex die:obsidium |
ID | Timestamp | Package | Filename | Target | Detections | PKG | SuriAlert /HTTP/TLS/Files | VT | MalScore | Detections | PCAP | ClamAV | Custom | Status |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
16 | 2022-06-10 10:38:54 | exe | RogueRobinPowershell.bin | 953a753dd4944c9a2b9876b090bf7c00 | Powershell | exe | 0/0/0/0 | 30/72 | 2.0 | [{'family': 'Powershell', 'details': [{'VirusTotal': '36862f654c3356d2177b5d35a410c78ff9803d1d7d20da0b82e3d69d640e856e'}]}] | PCAP | None | None | reported |