{"id":10162,"date":"2024-12-04T11:13:21","date_gmt":"2024-12-04T11:13:21","guid":{"rendered":"\/cybersecurity-blog\/?p=10162"},"modified":"2024-12-17T13:54:33","modified_gmt":"2024-12-17T13:54:33","slug":"search-operators-and-wildcards-in-ti-lookup","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/","title":{"rendered":"Search Operators and Wildcards for Cyber Threat Investigations"},"content":{"rendered":"\n<p>Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from <a href=\"?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolanding\">ANY.RUN<\/a> simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.<\/p>\n\n\n\n<p>Let&#8217;s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>About Threat Intelligence Lookup<\/strong>&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"597\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-1024x597.png\" alt=\"\" class=\"wp-image-10207\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-1024x597.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-768x448.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-1536x895.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen-740x431.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/mainscreen.png 1843w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Main page of TI Lookup<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktoti\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence (TI) Lookup<\/a> is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for <a href=\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Indicators of Compromise<\/a> (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).&nbsp;&nbsp;<\/p>\n\n\n\n<p>TI Lookup provides access to a constantly updated database of threat data collected from millions of <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">public malware and phishing samples<\/a> analyzed in ANY.RUN\u2019s Interactive Sandbox.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how TI Lookup can help you and your organization:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Investigate Threats Quickly<\/strong>: Gather extensive and in-depth information on emerging and persistent cyber threats with <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">over 40 search parameters<\/a> (e.g. threat names, command lines, registry logs, etc.).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Receive Real-Time Updates<\/strong>: Stay informed with <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-notifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">real-time updates<\/a> on results for your search queries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enrich Threat Intelligence<\/strong>: Get relevant context, indicators, and samples manually analyzed by threat analysts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet 20 free requests to try <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=operators_wildcards&#038;utm_term=041224&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Search Operators in TI Lookup<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches.&nbsp;<\/p>\n\n\n\n<p>TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let\u2019s take a closer look at each of these.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AND<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The AND operator helps you combine multiple conditions.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>AND is great for narrowing down your search to find threats by including as many unique indicators as possible.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-204\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"204\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522thum.io%255C%2522%2520AND%2520domainName:%255C%2522logo.clearbit.com%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522thum.io%255C%2522%2520AND%2520domainName:%255C%2522logo.clearbit.com%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;thum.io&quot; AND domainName:&quot;logo.clearbit.com&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;thum.io&quot; AND domainName:&quot;logo.clearbit.com&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-204'>\ntable#wpdtSimpleTable-204{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-204 td, table.wpdtSimpleTable204 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Thum[.]io is a real-time website screenshot generator.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>logo[.]clearbit[.]com is a service for fetching company logos.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"597\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-1024x597.png\" alt=\"\" class=\"wp-image-10178\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-1024x597.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-768x448.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-1536x896.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-740x432.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup lets you navigate to the ANY.RUN sandbox to see and run analysis of each sample<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a \u201cmalicious activity\u201d label and a \u201c<a href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing<\/a>\u201d tag.&nbsp;<\/p>\n\n\n\n<p>We can click any session of our interest to investigate the threat further.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-1024x600.png\" alt=\"\" class=\"wp-image-10179\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-1536x900.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The phishing page contains a fake form for stealing victim\u2019s credentials<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>OR<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does<\/strong>&nbsp;<\/p>\n\n\n\n<p>The OR operator helps return matches where at least one of the given conditions is found.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Example&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-205\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"205\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522syncObjectName:%255C%2522DocumentUpdater%255C%2522%2520OR%2520syncObjectName:%255C%2522PackageManager%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522syncObjectName:%255C%2522DocumentUpdater%255C%2522%2520OR%2520syncObjectName:%255C%2522PackageManager%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"syncObjectName:&quot;DocumentUpdater&quot; OR syncObjectName:&quot;PackageManager&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">syncObjectName:&quot;DocumentUpdater&quot; OR syncObjectName:&quot;PackageManager&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-205'>\ntable#wpdtSimpleTable-205{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-205 td, table.wpdtSimpleTable205 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1024x605.png\" alt=\"\" class=\"wp-image-10181\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1024x605.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-768x454.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-1536x907.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-740x437.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>You see how these mutexes are used by exploring their corresponding sandbox sessions <\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It searches for entries where the synchronization object name is &#8220;DocumentUpdater&#8221; or &#8220;PackageManager&#8221;. If you&#8217;re investigating a threat that could be using either of these sync objects, this query ensures you don&#8217;t miss any relevant information.&nbsp;<\/p>\n\n\n\n<p>TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NOT<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does<\/strong>&nbsp;<\/p>\n\n\n\n<p>The NOT operator excludes results that match the specified condition.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it<\/strong>&nbsp;<\/p>\n\n\n\n<p>NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-206\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"206\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522Phishing%255C%2522%2520NOT%2520taskType:%255C%2522url%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522Phishing%255C%2522%2520NOT%2520taskType:%255C%2522url%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"threatName:&quot;Phishing&quot; NOT taskType:&quot;url&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">threatName:&quot;Phishing&quot; NOT taskType:&quot;url&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-206'>\ntable#wpdtSimpleTable-206{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-206 td, table.wpdtSimpleTable206 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-1024x600.png\" alt=\"\" class=\"wp-image-10182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-1536x900.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image4-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Results include sandbox sessions with the tag \u201cphishing\u201d that feature malicious files<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It helps us find email, html, zip, exe, or other types of files, used in phishing attacks.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Parentheses ()<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What they do<\/strong>&nbsp;<\/p>\n\n\n\n<p>Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify.&nbsp;<\/p>\n\n\n\n<p><strong>Why use them&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>Parentheses are essential for creating complex queries, making your search more precise and effective.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-207\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"207\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522imagePath:%255C%2522mshta.exe%255C%2522%2520AND%2520(destinationPort:%255C%252280%255C%2522%2520OR%2520destinationPort:%255C%2522443%255C%2522)%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522imagePath:%255C%2522mshta.exe%255C%2522%2520AND%2520(destinationPort:%255C%252280%255C%2522%2520OR%2520destinationPort:%255C%2522443%255C%2522)%2522,%2522dateRange%2522:180%7D\" data-link-text=\"imagePath:&quot;mshta.exe&quot; AND (destinationPort:&quot;80&quot; OR destinationPort:&quot;443&quot;)\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">imagePath:&quot;mshta.exe&quot; AND (destinationPort:&quot;80&quot; OR destinationPort:&quot;443&quot;)<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-207'>\ntable#wpdtSimpleTable-207{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-207 td, table.wpdtSimpleTable207 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query searches for sandbox sessions and their related data where the process &#8220;mshta.exe&#8221; was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-1024x600.png\" alt=\"\" class=\"wp-image-10184\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-1536x900.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>You can explore domains, IPs, synchronization objects, events, files, and other details related to the query<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Wildcard Characters<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Asterisk (*)<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters.&nbsp;The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.<\/p>\n\n\n\n<p><strong>Why use it<\/strong>&nbsp;<\/p>\n\n\n\n<p>The asterisk is great for when you&#8217;re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-209\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"209\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.vbs%255C%2522%2520AND%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.bat%255C%2522%2520AND%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.ps1%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.vbs%255C%2522%2520AND%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.bat%255C%2522%2520AND%2520commandLine:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*.ps1%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;C:\\\\Users\\\\Public\\\\*.vbs&quot; AND commandLine:&quot;C:\\\\Users\\\\Public\\\\*.bat&quot; AND commandLine:&quot;C:\\\\Users\\\\Public\\\\*.ps1&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;C:\\\\Users\\\\Public\\\\*.vbs&quot; AND commandLine:&quot;C:\\\\Users\\\\Public\\\\*.bat&quot; AND commandLine:&quot;C:\\\\Users\\\\Public\\\\*.ps1&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-209'>\ntable#wpdtSimpleTable-209{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-209 td, table.wpdtSimpleTable209 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query searches for sandbox sessions where the command line includes paths to <a href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\">specific script files<\/a> located in the C:\\Users\\Public directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).&nbsp;&nbsp;<\/p>\n\n\n\n<p>Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1024x600.png\" alt=\"\" class=\"wp-image-10187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-1536x900.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image7.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Asterisks are used to replace any string of characters<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-1024x605.png\" alt=\"\" class=\"wp-image-10188\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-1024x605.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-768x454.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-1536x907.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8-740x437.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image8.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN&#8217;s Interactive Sandbox offers advanced script executiion analysis<\/figcaption><\/figure><\/div>\n\n\n<p>In the image above, you can see the execution of <a href=\"https:\/\/app.any.run\/tasks\/3598564b-202c-4748-bb2a-bb3600daf69a?p=674d3217a54b7423c3f5b349\" target=\"_blank\" rel=\"noreferrer noopener\">one of the found scripts<\/a> inside the ANY.RUN sandbox.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"ANY.RUN cloud interactive sandbox interface\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to Track Emerging Cyber Threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nCheck out expert guide to collecting intelligence on emerging threats with <span class=\"highlight\">TI Lookup<\/span>\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Question Mark (?)<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies.&nbsp;<\/p>\n\n\n\n<p><strong>Example&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-208\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"208\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522http*%255C%255C\/?%255C%255C\/%255C%255C?c3Y9%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522http*%255C%255C\/?%255C%255C\/%255C%255C?c3Y9%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;http*\\\/?\\\/\\?c3Y9&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;http*\\\/?\\\/\\?c3Y9&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-208'>\ntable#wpdtSimpleTable-208{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-208 td, table.wpdtSimpleTable208 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Here, we can borrow a query from Jane_0sint\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">article on phishing investigations<\/a>, which is intended for identifying samples of Mamba2FA attacks.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first one is the wildcard that serves as a stand-in for the characters \u201cm\u201d, \u201cn\u201d, and \u201co\u201d that are commonly used in Mamba2FA URLs.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The second question mark is a part of the address. To escape it, we use the \\ slash symbol.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-1024x600.png\" alt=\"\" class=\"wp-image-10185\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-1536x900.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image6.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Make sure to escape ? when it is part of your search string<\/em> <\/figcaption><\/figure><\/div>\n\n\n<p>We once again can observe a variety of results, including command lines that contain different URLs matching our query.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Dollar Sign ($)<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does<\/strong>&nbsp;<\/p>\n\n\n\n<p>The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-210\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"210\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#{%22query%22:%22syncObjectName:%5C%22_STOP$%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#{%22query%22:%22syncObjectName:%5C%22_STOP$%5C%22%22,%22dateRange%22:180}\" data-link-text=\"syncObjectName:&quot;_STOP$&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">syncObjectName:&quot;_STOP$&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-210'>\ntable#wpdtSimpleTable-210{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-210 td, table.wpdtSimpleTable210 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query searches for any synchronization object whose name ends with _STOP.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-1024x604.png\" alt=\"\" class=\"wp-image-10189\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-1536x905.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1-740x436.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image9-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Each mutex<\/em> <em>can be explored in detail in its corresponding sandbox session<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Caret (^)<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>What it does&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content.&nbsp;<\/p>\n\n\n\n<p><strong>Why use it<\/strong>&nbsp;<\/p>\n\n\n\n<p>The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term.&nbsp;<\/p>\n\n\n\n<p><strong>Example<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-211\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"211\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522%5E0ffice.*.com$%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522%5E0ffice.*.com$%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;^0ffice.*.com$&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;^0ffice.*.com$&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-211'>\ntable#wpdtSimpleTable-211{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-211 td, table.wpdtSimpleTable211 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"606\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1024x606.png\" alt=\"\" class=\"wp-image-10190\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1024x606.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-300x178.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-768x455.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1536x909.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-270x160.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-740x438.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup returns all matching domains found across its database over the past 180 days<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktotiplans\" target=\"_blank\" rel=\"noreferrer noopener\">Give it a try by requesting a free trial of TI Lookup<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phish_investigations_with_jane&amp;utm_term=261124&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mitre_ttps_in_ti_lookup&amp;utm_term=211124&amp;utm_content=linktotilanding\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>&nbsp;services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What\u2019s impressive is how fast these scans are\u2014they significantly speed up the analysis process, allowing for quick detection of threats and malware.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=operators_wildcards&amp;utm_term=041224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN\u2019s Interactive Sandbox and Threat Intelligence Lookup for FREE \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries. Let&#8217;s take a look at how you can use them to identify and collect intel [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10222,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[57,10,54,40],"class_list":["post-10162","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-instructions","tag-anyrun","tag-cybersecurity","tag-features","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Search Operators and Wildcards for Cyber Threat Investigations - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn how to use wildcards and operators in TI Lookup to create effective search queries for collecting intelligence on cyber threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Search Operators and Wildcards for Cyber Threat Investigations\",\"datePublished\":\"2024-12-04T11:13:21+00:00\",\"dateModified\":\"2024-12-17T13:54:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\"},\"wordCount\":1860,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\",\"malware behavior\"],\"articleSection\":[\"Instructions on ANY.RUN\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\",\"name\":\"Search Operators and Wildcards for Cyber Threat Investigations - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-12-04T11:13:21+00:00\",\"dateModified\":\"2024-12-17T13:54:33+00:00\",\"description\":\"Learn how to use wildcards and operators in TI Lookup to create effective search queries for collecting intelligence on cyber threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Instructions on ANY.RUN\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Search Operators and Wildcards for Cyber Threat Investigations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Search Operators and Wildcards for Cyber Threat Investigations - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn how to use wildcards and operators in TI Lookup to create effective search queries for collecting intelligence on cyber threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Search Operators and Wildcards for Cyber Threat Investigations","datePublished":"2024-12-04T11:13:21+00:00","dateModified":"2024-12-17T13:54:33+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/"},"wordCount":1860,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features","malware behavior"],"articleSection":["Instructions on ANY.RUN"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/","url":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/","name":"Search Operators and Wildcards for Cyber Threat Investigations - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-12-04T11:13:21+00:00","dateModified":"2024-12-17T13:54:33+00:00","description":"Learn how to use wildcards and operators in TI Lookup to create effective search queries for collecting intelligence on cyber threats.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Instructions on ANY.RUN","item":"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/"},{"@type":"ListItem","position":3,"name":"Search Operators and Wildcards for Cyber Threat Investigations"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10162"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10162"}],"version-history":[{"count":40,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10162\/revisions"}],"predecessor-version":[{"id":10522,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10162\/revisions\/10522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10222"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}