{"id":8834,"date":"2024-09-18T10:58:28","date_gmt":"2024-09-18T10:58:28","guid":{"rendered":"\/cybersecurity-blog\/?p=8834"},"modified":"2025-06-26T09:52:14","modified_gmt":"2025-06-26T09:52:14","slug":"ti-lookup-search-parameters","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/","title":{"rendered":"How to Collect Threat Intelligence Using Search Parameters in TI Lookup"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&#8216;s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> is a valuable resource for security professionals searching for information on the latest cyber threats.&nbsp;<\/p>\n\n\n\n<p>One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-we-process-iocs\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a>, behavioral indicators, and other relevant information.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s explore each search parameter and provide examples of how they can be used in your investigations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>About Threat Intelligence Lookup<\/strong><\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> is a centralized platform for threat data exploration, collection, and analysis.<\/p>\n\n\n\n<p>At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis.&nbsp;<\/p>\n\n\n\n<p>The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nSee how ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span> can help your team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=search_params_ti&#038;utm_term=180924&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Thanks to its integration with ANY.RUN\u2019s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Search Parameters in TI Lookup<\/h2>\n\n\n\n<p>Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task<\/h2>\n\n\n\n<p>Task parameters refer to the characteristics of tasks (sandbox sessions).&nbsp;<\/p>\n\n\n\n<p><strong>threatName<\/strong><\/p>\n\n\n\n<p>The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.<\/p>\n\n\n\n<p><em>Example<\/em>s: &#8220;Phishing&#8221;, &#8220;xworm&#8221;, &#8220;ransomware&#8221;, &#8220;tycoon&#8221;.<\/p>\n\n\n\n<p><strong>submissionCountry<\/strong><\/p>\n\n\n\n<p>The country from which the threat sample was submitted.<\/p>\n\n\n\n<p><em>Example<\/em>s: &#8220;es&#8221;, &#8220;us&#8221;, &#8220;de&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcao8fkEypruTuS5S60kQoQkY3422A3DMFE2bRBcH8Caly-q-H8BF1c3EjbbzncGhburMh1xYydB25fI5AWuAr-gqWMowgjfsKHZPpagWN0UZwEjHT1o1V-B-54CcBMzJ-oh1oF-Vhkf3QRGrQvRKCkbSJ6?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>Results for a query that includes a threat name (Remcos) and country (Brazil)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Here is an example of a query for samples of the Remcos malware submitted by users in Brazil.&nbsp;The service provides a list of sandbox sessions that correspond to the request.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-154\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"154\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522remcos%255C%2522%2520AND%2520submissionCountry:%255C%2522es%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522remcos%255C%2522%2520AND%2520submissionCountry:%255C%2522es%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"threatName:&quot;remcos&quot; AND submissionCountry:&quot;es&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">threatName:&quot;remcos&quot; AND submissionCountry:&quot;es&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-154'>\ntable#wpdtSimpleTable-154{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-154 td, table.wpdtSimpleTable154 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>threatLevel<\/strong><\/p>\n\n\n\n<p>A verdict on the threat level of the sample.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;malicious&#8221;, &#8220;suspicious&#8221;.<\/p>\n\n\n\n<p><strong>taskType<\/strong><\/p>\n\n\n\n<p>The type of the sample submitted to the sandbox.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;URL&#8221;, &#8220;file&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdbObOLHnzawS_KGEWNaGM7HXqesRzsIRKgFKr_A2og6mMb8xZEr0_Gs3744TFDZZLFRYWa54p2aibEHVuhcWhZCClzA9s16qdh1kGPfmLNvme3NRTqMSpnlg4ByAX9HqosWP5UcybCytR1HiQKF7Iq3l8?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>You can adjust the timeframe of your search to 180, 90, 60, 30, 7, 3, or 1 days<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-155\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"155\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatLevel:%255C%2522malicious%255C%2522%2520AND%2520taskType:%255C%2522URL%255C%2522%2522,%2522dateRange%2522:1%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatLevel:%255C%2522malicious%255C%2522%2520AND%2520taskType:%255C%2522URL%255C%2522%2522,%2522dateRange%2522:1%7D\" data-link-text=\"threatLevel:&quot;malicious&quot; AND taskType:&quot;URL&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">threatLevel:&quot;malicious&quot; AND taskType:&quot;URL&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-155'>\ntable#wpdtSimpleTable-155{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-155 td, table.wpdtSimpleTable155 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Registry<\/h2>\n\n\n\n<p>Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.<\/p>\n\n\n\n<p><strong>registryKey<\/strong><\/p>\n\n\n\n<p>The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash (\\) to escape the single backslash.&nbsp;&nbsp;<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;Windows\\\\CurrentVersion\\\\RunOnce&#8221;, &#8220;Windows NT\\\\CurrentVersion\\Windows&#8221;.<\/p>\n\n\n\n<p><strong>registryName<\/strong><\/p>\n\n\n\n<p>The name of the Windows Registry key field.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;browseinplace&#8221;, &#8220;docobject&#8221;, &#8220;isshortcut&#8221;.<\/p>\n\n\n\n<p><strong>registryValue<\/strong><\/p>\n\n\n\n<p>The value of the Windows Registry key.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;internet explorer\\iexplore.exe&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdq_-OVWOK6oUc5kjY7kYUL_VBAXGBGdG7QxI2KYYVLE6eL4SXjbHZ2ZZPTECASKUbG0Wr4E_fN9_2fAtUhmo64rLVClyvBrjKZT42YSkQKcpzFbR6KqvSm4h5I1ZM1ZEvFfyjM5Mo5LXpFY6KRqPOnyuMS?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service provides events, synchronization, and network threats associated with the query<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Using the query above, we can identify threats that aim to execute malicious code through scheduled tasks.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-156\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"156\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522registryKey:%255C%2522CurrentVersion%255C%255C%255C%255CSchedule%255C%2522%2520AND%2520registryValue:%255C%2522.exe%255C%2522%2522,%2522dateRange%2522:14%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522registryKey:%255C%2522CurrentVersion%255C%255C%255C%255CSchedule%255C%2522%2520AND%2520registryValue:%255C%2522.exe%255C%2522%2522,%2522dateRange%2522:14%7D\" data-link-text=\"registryKey:&quot;CurrentVersion\\\\Schedule&quot; AND registryValue:&quot;.exe&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">registryKey:&quot;CurrentVersion\\\\Schedule&quot; AND registryValue:&quot;.exe&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-156'>\ntable#wpdtSimpleTable-156{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-156 td, table.wpdtSimpleTable156 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Environment<\/h2>\n\n\n\n<p>These parameters are used to provide context about the environment where a threat was detected or executed.<\/p>\n\n\n\n<p><strong>os<\/strong><\/p>\n\n\n\n<p>The specific version of Windows used in the environment.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;11&#8221;, &#8220;10&#8221;, &#8220;7&#8221;.<\/p>\n\n\n\n<p><strong>osBitVersion<\/strong><\/p>\n\n\n\n<p>The bitness of the operating system, 32-bit or 64-bit.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;32&#8221;, &#8220;64&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdD2IgiWTIzRFPVIvFuc-HDmPDt2saZvXhxz0PiHx8kbWRzw3MVTRCdIrDbrEKwofe3Y4adllGgOlclOVrWq9_2815e82tDxQFdIH4T2Lv0F1DekLCQAPAK8EB-AVyU9O0EwQp1Co0B2pXM1nQ6RKBQctOw?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service provides Lumma analysis sessions that you can explore<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the <a href=\"https:\/\/any.run\/malware-trends\/lumma\">Lumma stealer<\/a> launched in the service over the past 14 days.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-157\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"157\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522lumma%255C%2522%25C2%25A0AND%25C2%25A0os:%255C%252210%255C%2522%25C2%25A0AND%25C2%25A0osSoftwareSet:%255C%2522complete%255C%2522%25C2%25A0AND%25C2%25A0osBitVersion:%255C%252264%255C%2522%2522,%2522dateRange%2522:14%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522lumma%255C%2522%25C2%25A0AND%25C2%25A0os:%255C%252210%255C%2522%25C2%25A0AND%25C2%25A0osSoftwareSet:%255C%2522complete%255C%2522%25C2%25A0AND%25C2%25A0osBitVersion:%255C%252264%255C%2522%2522,%2522dateRange%2522:14%7D\" data-link-text=\"threatName:&quot;lumma&quot;\u00a0AND\u00a0os:&quot;10&quot;\u00a0AND\u00a0osSoftwareSet:&quot;complete&quot;\u00a0AND\u00a0osBitVersion:&quot;64&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">threatName:&quot;lumma&quot;\u00a0AND\u00a0os:&quot;10&quot;\u00a0AND\u00a0osSoftwareSet:&quot;complete&quot;\u00a0AND\u00a0osBitVersion:&quot;64&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-157'>\ntable#wpdtSimpleTable-157{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-157 td, table.wpdtSimpleTable157 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Detection<\/strong><\/h2>\n\n\n\n<p>These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.<\/p>\n\n\n\n<p><strong>ruleName<\/strong><\/p>\n\n\n\n<p>The name of the detection rule.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;Executable content was dropped or overwritten&#8221;, &#8220;Phishing has been detected&#8221;.<\/p>\n\n\n\n<p><strong>ruleThreatLevel<\/strong><\/p>\n\n\n\n<p>The threat level assigned to a particular event.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;malicious&#8221;, &#8220;suspicious&#8221;, &#8220;info&#8221;.<\/p>\n\n\n\n<p><strong>MITRE<\/strong><\/p>\n\n\n\n<p>Techniques used by the malware according to the MITRE ATT&amp;CK classification.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;T1071&#8221;, &#8220;T1114.001&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXePbF_ReiKpNsDkvPmeK3iisBcP6wlWm7Qvk4Vsjw0obGoa0z7mLWcuKR5nK4Gt5aTdqI_Isk7wCYU_hwvcjVsJz5Omr6At77xXiX83tWfEox9oQLf3HEgdqWP8SZKEGyovX7hVa1a2sM8IluNgIGB1hNe9?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service provides events, mutexes, files, network threats, and sessions<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let&#8217;s consider a query combining the MITRE ATT&amp;CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials.&nbsp;<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-158\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"158\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1053.005%255C%2522%2520AND%2520ruleName:%255C%2522Steals%2520credentials%2520from%2520Web%2520Browsers%255C%2522%2522,%2522dateRange%2522:14%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1053.005%255C%2522%2520AND%2520ruleName:%255C%2522Steals%2520credentials%2520from%2520Web%2520Browsers%255C%2522%2522,%2522dateRange%2522:14%7D\" data-link-text=\"MITRE:&quot;T1053.005&quot; AND ruleName:&quot;Steals credentials from Web Browsers&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">MITRE:&quot;T1053.005&quot; AND ruleName:&quot;Steals credentials from Web Browsers&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-158'>\ntable#wpdtSimpleTable-158{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-158 td, table.wpdtSimpleTable158 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Module<\/strong><\/h2>\n\n\n\n<p>Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.<\/p>\n\n\n\n<p><strong>moduleImagePath<\/strong><\/p>\n\n\n\n<p>The full path to the module&#8217;s image file, the location on the disk where the module&#8217;s executable is stored.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;SysWOW64\\\\cryptbase.dll&#8221;, &#8220;SysWOW64\\\\msasn1.dll&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfkoESHC5FD7Do4x1NMhGrnoV2dWtC3WxZxpFtEldgrNjC7aI1BbVIxF3YYeiObXE1HSoGo7lmUSm_L59C2r87zawvFfEBDLznfoxHW4upmqanV6Tuw8EV9_ELfY06qydy0rokkEe9OcoAowFzaxNsB6NAh?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service yields events, files, and other results in response to the query<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Above you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-159\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"159\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bc-FFFFFF wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522moduleImagePath:%255C%2522SysWOW64%255C%255C%255C%255CKernelBase.dll%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522moduleImagePath:%255C%2522SysWOW64%255C%255C%255C%255CKernelBase.dll%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"moduleImagePath:&quot;SysWOW64\\\\KernelBase.dll&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">moduleImagePath:&quot;SysWOW64\\\\KernelBase.dll&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-159'>\ntable#wpdtSimpleTable-159{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-159 td, table.wpdtSimpleTable159 th { white-space: normal !important; }\n.wpdt-bc-FFFFFF { background-color: #FFFFFF !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Connection<\/strong><\/h2>\n\n\n\n<p>The Connection parameters describe network-related aspects of a threat.<\/p>\n\n\n\n<p><strong>domainName<\/strong><\/p>\n\n\n\n<p>The domain name that was recorded during the threat execution in a sandbox.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;tventyvd20sb[.]top&#8221;, &#8220;5.tcp.ngrok[.]io&#8221;.<\/p>\n\n\n\n<p><strong>destinationIP<\/strong><\/p>\n\n\n\n<p>The IP address of the network connection that was established or attempted.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;147[.]185[.]221[.]22&#8221;, &#8220;162[.]125[.]66[.]15&#8221;.<\/p>\n\n\n\n<p><strong>destinationPort<\/strong><\/p>\n\n\n\n<p>The network port through which the connection was established.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;49760&#8221;, &#8220;49780&#8221;.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nTry ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span> for free&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=search_params_ti&#038;utm_term=180924&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nLeave a trial request\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><strong>destinationIpAsn<\/strong><\/p>\n\n\n\n<p>Detected ASN.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;akamai-as&#8221;, &#8220;akamai international b.v.&#8221;.<\/p>\n\n\n\n<p><strong>destinationIPgeo<\/strong><\/p>\n\n\n\n<p>Two-letter country or region code of the detected IP geolocation.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;ae&#8221;, &#8220;de&#8221;.<\/p>\n\n\n\n<p><strong>ja3, ja3s, jarm<\/strong><\/p>\n\n\n\n<p>Types of TLS fingerprints that can indicate certain threats.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;1af33e1657631357c73119488045302c&#8221; (JA3S), &#8220;a0e9f5d64349fb13191bc781f81f42e1&#8221; (JA3).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfYhvYCtg8nR4IBP-R8s3HQnOwM_zCCVEMORYeCCq88JrGnMgbqmx9oIA8SwKbM6DH6RydlsAXtQDTMl6GaPrGlJnYk76mhndScAafOwzGsQFugxUGZWcgqWlQ9-JClZxYz76p1uEkf4fa9UoIDWfJypjcq?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>You can explore network threats tab to see triggered Suricata IDS rules<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-160\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"160\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%2522cogent-174%255C%2522%2520AND%2520destinationIPgeo:%255C%2522cz%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%2522cogent-174%255C%2522%2520AND%2520destinationIPgeo:%255C%2522cz%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIpAsn:&quot;cogent-174&quot; AND destinationIPgeo:&quot;cz&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIpAsn:&quot;cogent-174&quot; AND destinationIPgeo:&quot;cz&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-160'>\ntable#wpdtSimpleTable-160{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-160 td, table.wpdtSimpleTable160 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Process<\/strong><\/h2>\n\n\n\n<p>The following parameters relate to processes registered during active sandbox sessions.<\/p>\n\n\n\n<p><strong>imagePath<\/strong><\/p>\n\n\n\n<p>Full path to process image.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;System32\\\\conhost.exe&#8221;, &#8220;Framework\\\\v4.0.30319\\\\RegAsm.exe&#8221;.<\/p>\n\n\n\n<p><strong>commandLine<\/strong><\/p>\n\n\n\n<p>The full command line that initiated the process.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;PDQConnectAgent\\\\pdq-connect-agent.exe &#8211;service&#8221;, &#8220;system32\\\\cmd.exe \/c&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfiG0D0e8X1JaLV4hVBBsWZEiH87lVwozQM-U701bHQSGwENZUdb2cxQ3HBPr_3msK0qYfEcXkzgNYKTXZhYBfnEMr8KCfgUgkEy8R_nUsQt3_SLZHhbtNjAzFhv8SOGT9zX4RSI5UFrkSEjG7ea_b1vgfT?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The events tab shows the exact processes corresponding to the query<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Using these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a &#8216;davwwwroot&#8217; folder.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-161\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"161\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup #%7B%2522query%2522:%2522commandLine:%255C%2522davwwwroot*dll%255C%2522%2520AND%2520imagePath:%255C%2522net.exe%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup #%7B%2522query%2522:%2522commandLine:%255C%2522davwwwroot*dll%255C%2522%2520AND%2520imagePath:%255C%2522net.exe%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;davwwwroot*dll&quot; AND imagePath:&quot;net.exe&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;davwwwroot*dll&quot; AND imagePath:&quot;net.exe&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-161'>\ntable#wpdtSimpleTable-161{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-161 td, table.wpdtSimpleTable161 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Network Threats<\/strong><\/h2>\n\n\n\n<p>These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).<\/p>\n\n\n\n<p><strong>suricataMessage<\/strong><\/p>\n\n\n\n<p>The description of the threat according to Suricata.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;ET INFO 404\/Snake\/Matiex Keylogger Style External IP Check&#8221;, &#8220;STEALER [ANY.RUN] Stealc HTTP POST Request&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXd9meEFc2cn13XoTPw8AR23qJmdVzSMyqvTi-nhqlOrTXeYdsSj2HVnA3-YvODFN1jowjzO82T1VHhg4xmGLLSfzRC1omDUzCsgsMHH7nYKuHi3JqhcSFLr-iOm-l_YymbcIjJoSBzdtyLusWFGM_SGOwI?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>Search using Suricata message reveals malconf IPs of Redline<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>&nbsp;We can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware\u2019s configs, relating to a particular threat.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-162\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"162\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522ET%2520MALWARE%2520Redline%2520Stealer%2520TCP%2520CnC%2520Activity%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522ET%2520MALWARE%2520Redline%2520Stealer%2520TCP%2520CnC%2520Activity%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"suricataMessage:&quot;ET MALWARE Redline Stealer TCP CnC Activity&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">suricataMessage:&quot;ET MALWARE Redline Stealer TCP CnC Activity&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-162'>\ntable#wpdtSimpleTable-162{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-162 td, table.wpdtSimpleTable162 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>suricataClass<\/strong><\/p>\n\n\n\n<p>The category assigned to the threat by Suricata based on its characteristics.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;misc activity&#8221;, &#8220;a network trojan was detected&#8221;.<\/p>\n\n\n\n<p><strong>suricataID<\/strong><\/p>\n\n\n\n<p>The unique identifier of the Suricata rule.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;2044767&#8221;, &#8220;8001997&#8221;.<\/p>\n\n\n\n<p><strong>suricataThreatLevel<\/strong><\/p>\n\n\n\n<p>The verdict on the threat according to Suricata based on its potential impact.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;malicious&#8221;, &#8220;suspicious&#8221;, &#8220;info&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXddMo3u-JaCUdWth9O20a5syQuiScnwoHfG3-ukbBfWN8-5ThozJBNAY9wLxKeFcui74fuWDsXy_DtqzgBaWq7-aCPFQvfPyZCnMTxr-OMeVTP0CqKopRLPECKBRM73MB-lJuxcXCHnCHRGEaeBKYjtrBo?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service returns Suricata IDS rules detecting njRAT<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By combining this parameter with threatName, we can collect Suricata rules relating to a specific malware.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-163\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"163\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataThreatLevel:%255C%2522malicious%255C%2522%2520AND%2520threatName:%255C%2522njrat%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataThreatLevel:%255C%2522malicious%255C%2522%2520AND%2520threatName:%255C%2522njrat%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"suricataThreatLevel:&quot;malicious&quot; AND threatName:&quot;njrat&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">suricataThreatLevel:&quot;malicious&quot; AND threatName:&quot;njrat&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-163'>\ntable#wpdtSimpleTable-163{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-163 td, table.wpdtSimpleTable163 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>File<\/strong><\/h2>\n\n\n\n<p>These parameters describe file-related aspects of a threat.<\/p>\n\n\n\n<p><strong>filePath<\/strong><\/p>\n\n\n\n<p>The full path to the file on the system.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;invoice&#8221;, &#8220;order&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcPJktDDUokLZJYkNwSNtpsr4NZMQTchV8ax1c4Uh-wYLHF9_E9ZHLYhw52cpU_ukhHNLSyOdqWdxKPNwXvb5-R-o7XC3vFy2qFI81OSnN53CRXnUKYE4_Q1UIP5RNHdimCZNztRvgLEtVDlNaZjvxx0Ys?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>A query searching for sessions where a readme.txt file was dropped on the desktop, a common ransomware sign<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-179\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"179\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522filePath:%255C%2522Users%255C%255C%255C%255Cadmin%255C%255C%255C%255CDesktop%255C%255C%255C%255CREADME.TXT%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522filePath:%255C%2522Users%255C%255C%255C%255Cadmin%255C%255C%255C%255CDesktop%255C%255C%255C%255CREADME.TXT%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"filePath:&quot;Users\\\\admin\\\\Desktop\\\\README.TXT&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">filePath:&quot;Users\\\\admin\\\\Desktop\\\\README.TXT&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-179'>\ntable#wpdtSimpleTable-179{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-179 td, table.wpdtSimpleTable179 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>fileExtension<\/strong><\/p>\n\n\n\n<p>The extension that indicates the file type.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;exe&#8221;, &#8220;dll&#8221;.<\/p>\n\n\n\n<p><strong>sha256, sha1, md5<\/strong><\/p>\n\n\n\n<p>Hash values relating to a file.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;1412faf1bfd96e91340cedcea80ee09d&#8221;, &#8220;ce554fe53b2620c56f6abb264a588616&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcmyLKxq_qWGLRE6Aiu0p282woZVD41DPhXOYQvxEf7LYn5du0UjIj0-KN0lJ2lCvUiuiZaGtfIZhMW8HE1OCZyuIs64UqZQ0p4MWOW2VJObNW7l5KBVDaGnMK1e7gOLlBKjcLDRQ79822yPobWNhr1Hpw?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>In response to a hash query, the service returns events, network threats, files, and other data<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can use the hash of a malicious file to discover the specific malware family it relates to.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-164\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"164\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522md5:%255C%25224d77626d9f9d029f9f5059d72264231d%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522md5:%255C%25224d77626d9f9d029f9f5059d72264231d%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"md5:&quot;4d77626d9f9d029f9f5059d72264231d&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">md5:&quot;4d77626d9f9d029f9f5059d72264231d&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-164'>\ntable#wpdtSimpleTable-164{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-164 td, table.wpdtSimpleTable164 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Synchronization<\/strong><\/h2>\n\n\n\n<p>These parameters describe synchronization-related activities within a threat, such as mutexes.<\/p>\n\n\n\n<p><strong>syncObjectName<\/strong><\/p>\n\n\n\n<p>The name or identifier of the synchronization object used.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;rmc&#8221;, &#8220;m0yv&#8221;.<\/p>\n\n\n\n<p><strong>syncObjectType<\/strong><\/p>\n\n\n\n<p>The type of synchronization object used.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;event&#8221;, &#8220;mutex&#8221;.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nGet a 14-day free trial of ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=search_params_ti&#038;utm_term=180924&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nContact Sales\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><strong>syncObjectOperation<\/strong><\/p>\n\n\n\n<p>The operation performed on the synchronization object.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;create&#8221;, &#8220;open&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfHmdJ3U9YFXDll0HLa80aMKzQ6CvjwKceLEFwScqu694NePo72WtIgVu9x7ghx95XDEx5uRV90TQt4u_lEXPC1LTTf3whPIks9LoL6LrkE0mG5l_e2ytavbky96Vd4Vau6n8edRDFxSQh1oZD34utdeqoa?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>The service provides a long list of objects found in sessions containing analysis of the Xworm malware<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-165\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"165\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522syncObjectOperation:%255C%2522create%255C%2522%2520AND%2520syncObjectType:%255C%2522mutex%255C%2522%2520AND%2520threatName:%255C%2522xworm%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522syncObjectOperation:%255C%2522create%255C%2522%2520AND%2520syncObjectType:%255C%2522mutex%255C%2522%2520AND%2520threatName:%255C%2522xworm%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"syncObjectOperation:&quot;create&quot; AND syncObjectType:&quot;mutex&quot; AND threatName:&quot;xworm&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">syncObjectOperation:&quot;create&quot; AND syncObjectType:&quot;mutex&quot; AND threatName:&quot;xworm&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-165'>\ntable#wpdtSimpleTable-165{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-165 td, table.wpdtSimpleTable165 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>URL<\/strong><\/h2>\n\n\n\n<p>These parameters describe network traffic related to HTTP requests and responses.<\/p>\n\n\n\n<p><strong>url<\/strong><\/p>\n\n\n\n<p>The URL called by the process.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;http:\/\/192[.]168[.]37[.]128:8880[\/]zv8u&#8221;, &#8220;http:\/\/tventyvd20sb[.]top\/v1\/upload[.]php&#8221;.<\/p>\n\n\n\n<p><strong>httpRequestContentType<\/strong><\/p>\n\n\n\n<p>The content type of the HTTP request sent to the server.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;application\/octet-stream&#8221;.<\/p>\n\n\n\n<p><strong>httpResponseContentType<\/strong><\/p>\n\n\n\n<p>The content type of the HTTP response received from the server.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;text\/html&#8221;.<\/p>\n\n\n\n<p><strong>httpRequestFileType<\/strong><\/p>\n\n\n\n<p>The file type of the file being uploaded in the HTTP request.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;binary&#8221;.<\/p>\n\n\n\n<p><strong>httpResponseFileType<\/strong><\/p>\n\n\n\n<p>The file type of the file being downloaded in the HTTP response.<\/p>\n\n\n\n<p><em>Examples<\/em>: &#8220;binary&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeVzJ8CQymEk5MEpVqahay4eXXzMRmOeHsn4m3ayU_0PcAsb7FZ-uau58hlpq3TsxUyg9QxElQr-M1s_bV2B46_2A1WP1GVZb-YO1ntCQpKQlOVPLG4vL0cO2IhTtxHCbkZU7NM90nMCnjoQPP5dK3V0EBr?key=dwG56OvlPN20YW-3ltzPvg\" alt=\"\"\/><figcaption class=\"wp-element-caption\"><em>Results for binary file requests in HijackLoader sandbox sessions<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.<\/p>\n\n\n\n<p>Try it:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-166\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"166\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522httpRequestFileType:%255C%2522binary%255C%2522%2520AND%2520threatName:%255C%2522hijackloader%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522httpRequestFileType:%255C%2522binary%255C%2522%2520AND%2520threatName:%255C%2522hijackloader%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"httpRequestFileType:&quot;binary&quot; AND threatName:&quot;hijackloader&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">httpRequestFileType:&quot;binary&quot; AND threatName:&quot;hijackloader&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-166'>\ntable#wpdtSimpleTable-166{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-166 td, table.wpdtSimpleTable166 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>ANY.RUN&#8217;s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktotiplans\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try Threat Intelligence Lookup for free \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=search_params_ti&amp;utm_term=180924&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN&#8216;s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats.&nbsp; One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8844,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[57,10,34,40],"class_list":["post-8834","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-instructions","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Get Threat Intelligence Using TI Lookup Search Parameters<\/title>\n<meta name=\"description\" content=\"See how you can use Threat Intelligence Lookup to identify emerging cyber threats using over 40 different search parameters.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"y.shvetsov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\"},\"author\":{\"name\":\"y.shvetsov\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Collect Threat Intelligence Using Search Parameters in TI Lookup\",\"datePublished\":\"2024-09-18T10:58:28+00:00\",\"dateModified\":\"2025-06-26T09:52:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\"},\"wordCount\":1715,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Instructions on ANY.RUN\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\",\"name\":\"How to Get Threat Intelligence Using TI Lookup Search Parameters\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-09-18T10:58:28+00:00\",\"dateModified\":\"2025-06-26T09:52:14+00:00\",\"description\":\"See how you can use Threat Intelligence Lookup to identify emerging cyber threats using over 40 different search parameters.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Instructions on ANY.RUN\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Collect Threat Intelligence Using Search Parameters in TI Lookup\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"y.shvetsov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"caption\":\"y.shvetsov\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Get Threat Intelligence Using TI Lookup Search Parameters","description":"See how you can use Threat Intelligence Lookup to identify emerging cyber threats using over 40 different search parameters.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/","twitter_misc":{"Written by":"y.shvetsov","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/"},"author":{"name":"y.shvetsov","@id":"https:\/\/any.run\/"},"headline":"How to Collect Threat Intelligence Using Search Parameters in TI Lookup","datePublished":"2024-09-18T10:58:28+00:00","dateModified":"2025-06-26T09:52:14+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/"},"wordCount":1715,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Instructions on ANY.RUN"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/","url":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/","name":"How to Get Threat Intelligence Using TI Lookup Search Parameters","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-09-18T10:58:28+00:00","dateModified":"2025-06-26T09:52:14+00:00","description":"See how you can use Threat Intelligence Lookup to identify emerging cyber threats using over 40 different search parameters.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Instructions on ANY.RUN","item":"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/"},{"@type":"ListItem","position":3,"name":"How to Collect Threat Intelligence Using Search Parameters in TI Lookup"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"y.shvetsov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","caption":"y.shvetsov"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8834"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8834"}],"version-history":[{"count":12,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8834\/revisions"}],"predecessor-version":[{"id":14490,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8834\/revisions\/14490"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8844"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}