We are excited to announce the release of our Google Threat Intelligence Cheat Sheet. Designed as a quick reference guide, this cheat sheet provides hints and examples of some of the most useful intelligence searches available in Google Threat Intelligence.

For a security analyst, being able to build these searches efficiently is essential to quickly identify, analyze and track the latest threats, ultimately helping to protect organizations. 

By combining entities (the type of item you're searching for)  and other modifiers (specific attributes or characteristics of that entity), we can craft highly targeted queries to find the critical intelligence needed for our investigation and defense efforts. Here's how you can construct these search queries:

• Specify the Entity Type: You must start by defining the type of item you are searching for using the entity modifier. Common entity types are: file, URL, domain, IP address and collection. 


• Use Modifiers to Refine Your Search: Each entity type has specific modifiers you can use (files, URLs, domains, IP addresses and collections). These modifiers allow you to search based on different criteria. 

Let’s see some basic examples of searches using each entity modifier:

• entity:file engines:keylogger size:100kb-


• entity :domain category:phishing


• entity:url port:8080 header_value:"Apache"


• entity:ip asn:15169 communicating_files_max_detections:30+ detected_communicating_files_count: 5+


• entity:collection tag:Kimsuky

Please note that by default, if you don't add the entity at the beginning of the query, you'll only get results related to files.

• Combine Boolean operators (AND, OR, NOT, or none of them which is equivalent to AND) as well as parentheses, with search modifiers for more complex searches.

Let’s provide you some examples of specific searches helpful for security researchers and analysts organized in different sections:

DOCUMENTS: 

Let's start by searching for documents. Common types like PDFs, DOCs, and XLSs are frequent malware delivery vectors, and require thorough investigation. Remember, searches default to entity:file. This means you don't need to add entity:file for the document queries (which are file searches) shown below—it's simply optional. These examples demonstrate how to pinpoint suspicious files by their defining traits:

• Macro-enabled (by using tag modifier) documents (define the type with type) with a Google TI score above 30 and first seen within the last 30 days:
  (type:doc OR type:docx) tag:macros fs:30d+ gti_score:30+
  


• Malicious DOC files sent as attachments (by using tag modifier) with file names including ‘Payroll Tax Payment’ and identified as malicious by google threat intelligence:
  type:doc tag:attachment name:”Payroll Tax Payment” gti_verdict:malicious
  The tag modifier is a powerful and versatile search modifier applicable across various entity types, not just files. There is an extensive list of tags that can be used to precisely target specific characteristics, You can find the full list of available tags and their detailed descriptions in the official documentation.
  


• Excel files first viewed on the platform in the last seven days and detected by at least three AV engines, that can read system environment variables and make registry changes to hide execution or to persist on a system (by using tag or mbc modifiers):
  (type:xls OR type:xlsx OR type:xlsm) mbc:E1112 fs:7d+ positives:3+ tag:environ
  


• Malicious OneNote files that are using macros to execute PowerShell, probably to manipulate Windows Registry settings via WMI:
  type:onenote tag:macro-powershell tag:calls-wmi
  


• Powerpoint files executing other files and containing obfuscated code or content:
  (type:ppt OR type:pptx) tag:run-file tag:obfuscated
  

BEHAVIOR: 

Static analysis tells part of the story; behavioral analysis reveals the plot. The queries in this section are designed to search the dynamic actions of files executed in an automated sandbox. This provides a much deeper understanding of malware's capabilities and objectives. Let’s see more examples:

• Files attempting to extract credentials with Mimikatz: behaviour_files:"mimikatz" AND behaviour_processes:"sekurlsa::logonpasswords"
  As you can see, It's possible to combine various behaviour modifiers to refine your search. In this query, behaviour_files  tracks key file system interactions (like files being created, accessed, modified, or deleted), while behaviour_processes monitors important process activities (such as command executions, process termination, or code injection).
  


• Files that exhibit a network behavior in Sandbox involving communication with https://api.telegram.org: behaviour_network:"https://api.telegram.org/"
  You can use behaviour_network to pinpoint files based on their network communications, such as specific endpoints contacted or distinct traffic patterns.
  


• Files using this specific service ‘itsbjssks’: behaviour_services:itsbjssks
  Use behaviour_services to search for specific services or daemons that have been observed during sandbox analysis.
  


• Files using a specific Mitre attack technique or malware behaviour catalog (mbc): (attack_technique:T1547.001 AND attack_technique:T1053) OR mbc:OB0012
  You can also use the attack_tactic modifier as shown in this next query example:
  attack_tactic:TA0010 (type:peexe or type:sh)
  


• Files that exhibited behaviors consistent with scanning for network services: behaviour_tag:service_scan
  Use behaviour_tag to find files with specific tags assigned by the sandbox based on observed behaviors. This modifier matches the literal tag provided. For a complete list of available tags and more details, refer to the official documentation.

NETWORK AND INFRASTRUCTURE: 

This section focuses on identifying suspicious URLs and IP addresses,critical for mapping out threat actor infrastructure, finding command-and-control (C2) servers, and identifying malware distribution points. Let’s see some examples:

• URLs with known suspicious paths such as ‘/c2sock’ (using path modifier). entity:url path:/c2sock


• URLs with the .xyz top-level domain that contain "admin panel" either in their page title or within their metadata: entity:url tld:xyz (title:"admin panel" OR meta:"admin panel") 


• URLs with the .ru top-level domain containing ‘android’ as a subword in the URL string (using url modifier), and that could be used to distribute Android APK files: entity:url tld:ru url:android tag:downloads-apk 


• Undetected URLs (according to Google TI verdict) using a specific tracker identifier, such as ‘G-KVN8M54JBZ’: entity:url gti_verdict:undetected tracker:G-KVN8M54JBZ 


• URLs related to a parent domain/subdomain (for example domain.org) with a specific header ( ‘SimpleHTTPServer’) in the response: entity:url parent_domain:domain.org header_value:"SimpleHTTPServer"


• IPs belonging to an ASN, that have been identified by GCP abuse or Safe browsing as cryptocurrency mining: entity:ip asn:48287 (gcp_abuse_intelligence:miner OR google_safebrowsing:miner)

APT DETECTION AND TRACKING: 

This section is specifically tailored for identifying and tracking activities linked to Advanced Persistent Threats (APTs) or sophisticated malware. The examples provided help analysts follow the digital breadcrumbs left by these actors:

• Files related to UNC5448 (using the threat_actor modifier) that show evidence of suspicious PowerShell commands that have been encoded using a Sigma rule (Find the Crowdsourced Sigma full list here😞
  sigma_rule:12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e AND threat_actor:UNC5448


• Potential domains linked to Lazarus by users comments (using comment modifier): entity:domain comment:"Lazarus" OR comment:"Hidden Cobra" OR comment:"APT38"


• New malware samples based on security engines verdict (using  engines modifier) or the malware config extraction (using  malware_config modifier): (engines:vidar OR malware_config:vidar) fs:2d+


• Malicious files based on the unique characteristics of their TLS client communications (using  behaviour_network modifier to match a specific JA4 fingerprint):
  behaviour_network:t10d070600_c50f5591e341_1a3805c3aa63


• Potential LNK files potentially used by APT44 using a specific crowdsourced yara (full list here😞
  crowdsourced_yara_rule:00032bfe82|SUSP_LNK_SuspiciousCommands

In conclusion, by combining these entities and modifiers, you can create specific queries to find the intelligence you need within our Google Threat Intelligence platform. Remember to check other interesting examples provided in the PDF version. 

Happy Hunting!