Spectra Core tags
Generic tags - can be applied to many file formats
| access-control-information | The file contains access control descriptors such as file permissions, group memberships or similar information about a securable object |
| anonymous-email | The file contains e-mail addresses from anonymous e-mail providers |
| cert-appendix | The file contains additional data after the certificate |
| cert-bad-checksum | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-bad-timestamp | The file is digitally signed with a certificate that has a bad timestamp |
| cert-cross-signed | The file is digitally signed with Microsoft cross-certificate for kernel mode code signing |
| cert-dual-signed | The file is digitally signed with two signatures that independently verify file integrity |
| cert-expired | The file's certificate chain has at least one expired certificate |
| cert-impersonate | The file is digitally signed with a certificate that impersonates one of well-known entities (e.g. Microsoft or Google) |
| cert-invalid | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-malformed | The file is digitally signed with a certificate that was malformed |
| cert-pagehashes-bad-checksum | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-revoked | The file is digitally signed with a certificate that has been revoked |
| cert-revoked-aa-compromise | The file is digitally signed with a certificate that has been revoked due to AA compromise |
| cert-revoked-affiliation-changed | The file is digitally signed with a certificate that has been revoked due to change in affiliation |
| cert-revoked-ca-compromise | The file is digitally signed with a certificate that has been revoked due to CA compromise |
| cert-revoked-cert-hold | The file is digitally signed with a certificate that has been put on hold (the signer has been suspended) |
| cert-revoked-cessation-of-operation | The file is digitally signed with a certificate that has been revoked because the signer has ceased its operations |
| cert-revoked-key-compromise | The file is digitally signed with a certificate that has been revoked due to private key compromise |
| cert-revoked-privilege-withdrawn | The file is digitally signed with a certificate that has been revoked because the signer privilege has been withdrawn |
| cert-revoked-remove-from-crl | The file is digitally signed with a certificate that has been removed from the revocation list |
| cert-revoked-superseded | The file is digitally signed with a certificate that has been revoked because it has been superseded |
| cert-revoked-unspecified | The file is digitally signed with a certificate that has been revoked due to unspecified reason |
| cert-self-signed | The file is digitally signed with a self-signed certificate (e.g. JAR or APK) |
| cert-signed | The file is digitally signed with a certificate (signature may or may not be valid) |
| cert-signed-after-expiration | The file was digitally counter-signed after at least one certificate in certificate chain expired |
| cert-signed-after-revocation | The file is digitally signed with a certificate that has been revoked at the time of signing |
| cert-signed-after-valid-time | The file is digitally signed with a certificate that was used after its validity period ended |
| cert-signed-before-issuing | The file is digitally signed with a certificate that was used before its validity period started |
| cert-timestamped | The file was digitally counter-signed by a timestamping service hosted by a certificate authority |
| cert-cert-timestamped-revoked | The file was digitally counter-signed by a timestamping service certificate that has been revoked |
| cert-cert-timestamped-untrusted | The file was digitally counter-signed by a timestamping service, but its root CA certificate is not in the Spectra Core certificate store |
| cert-untrusted | The file is digitally signed with a certificate that is valid, but its root CA certificate is not in the Spectra Core certificate store |
| cert-weak-crypto | The file was digitally signed with certificates using insecure cryptography or old hashing algorithms |
| cert-weak-crypto-key | The file was digitally signed with certificates using insecure cryptography (e.g. RSA with less than 2048 bits) |
| cert-weak-crypto-digest | The file was digitally signed with certificates using an old hashing algorithm (e.g. MD5) |
| contains-api-key | The file contains an API key used to authenticate a user, developer, or calling program to an API |
| contains-archive | The file contains one or more archive files (such as ZIP, RAR, Jar) |
| contains-document | The file contains one or more document files |
| contains-elf | The file contains one or more ELF (Executable and Linkable Format) files |
| contains-key-secret-pair | The file contains plaintext credentials, generally used for authentication |
| contains-macho | The file contains one or more Mach-O files |
| contains-pe | The file contains one or more PE (Portable Executable) files |
| contains-private-key-encrypted | The file contains an encrypted PKI private key |
| contains-private-key-plaintext | The file contains a PKI private key |
| contains-private-ssh-key-encrypted | The file contains an encrypted SSH key |
| contains-private-ssh-key-plaintext | The file contains an SSH key |
| contains-script | The file contains one or more script files |
| contains-token | The file contains an access or refresh token generally used for authentication |
| contains-webhook | The file contains a private webhook which may contain sensitive information |
| cryptocurrency | The file has cryptocurrency-related indicators (e.g. accesses BitCoin wallet files) |
| dde | The file has Dynamic Data Exchange capabilities that may be used to interact with other applications |
| desktop | The file appears to be a desktop application (e.g. PE or ELF) |
| email-outlook | The file has Outlook-related indicators (e.g. accesses mailbox files, credentials) |
| email-pattern | The file has generic e-mail-related indicators (e.g. accesses mailbox files, credentials) |
| email-thunderbird | The file has Thunderbird-related indicators (e.g. accesses mailbox files, credentials) |
| encrypted | Contains encrypted files (e.g. password-protected archive) |
| entropy-high | The file has unusually high entropy (i.e. entropy > 7) |
| entropy-zero | The file is zero-filled (full of 00 bytes) |
| exif | The file has EXIF metadata (such as camera information or GPS metadata) |
| format-bad-checksum | The file likely contains corrupted content as it has failed the data integrity check |
| format-bad-password | The file is password protected, and no provided passwords were a good match |
| format-unsupported | The file format is currently not supported, and it requires a deeper level of inspection to be fully analyzed |
| geotagging | The file has EXIF metadata containing GPS coordinates |
| guid-activex-killbit | The file contains ActiveX GUIDs with the Kill-Bit flag set |
| im-skype | The file has Skype-related indicators (e.g. accesses chat history, credentials) |
| image-corrupt | The image is corrupt because of some format discrepancy (e.g. invalid segment size) |
| image-malformed | The image is malformed (e.g. frame dimension is zero) |
| image-segment-duplicate | The image has a duplicate segment |
| image-segment-unexpected-location | An image segment has been found in an unexpected location |
| image-segment-unknown | An unknown image segment has been encountered |
| localized-entry-point | The file contains localization-specific entry points |
| linguist | The file's subtype was determined by a ReversingLabs machine learning model |
| machine-learning | The file was classified by a ReversingLabs machine learning model |
| ml-model | The file contains a machine learning model |
| nsis-table-invalid-offset | The NSIS installer is corrupt due to invalid table offset |
| nsis-table-invalid-size | The NSIS installer is corrupt due to invalid table size |
| ntfs-alternate-data-stream | The file contains data which was part of an NTFS Alternate Data Stream |
| obfuscated | The file contains obfuscated code or data |
| probably-packed | A heuristic method determined that the PE file may be packed |
| overlay | The file has an overlay (appended data at the file's end) - applies only to PE files |
| password | The file is password-protected (e.g. a password-protected archive) |
| ransomware-artifact | The file contains artifacts associated with ransomware (e.g. mail addresses, domains) |
| ransomware-encrypted | The file was encrypted by known ransomware (e.g. TeslaCrypt encrypted files) |
| script | The file appears to be a script (e.g. shell or Javascript) |
| sql-query | The file contains generic SQL queries |
| ssh-key | The file can use or modify SSH keys |
| stego | The file is a result of stego extraction |
| stego-compressed | The file contains compressed embedded PE files |
| stego-embedded | The file contains plain embedded PE files |
| stego-encoded | The file contains encoded embedded PE files |
| stego-encrypted | The file contains encrypted embedded PE files |
| uri-banking-website | The file contains URLs related to banking and monetary institutions |
| uri-coinmining-domain | The file contains URLs related to coinmining services |
| uri-credentials | The file contains URLs that embed sign-in credentials in plaintext due to protocol requirements |
| uri-deceptive-file | The file contains URLs that point to executable content hidden behind double extensions |
| uri-domain-blacklisted | The file contains URLs that point to a known blacklisted domain |
| uri-domain-homoglyph | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-phishtest | The file contains URLs that are used in simulated phishing tests |
| uri-domain-punycode | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-spoofed | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-typosquat | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-dynamic-dns | The file contains URLs pointing to domains hosted on dynamic DNS |
| uri-hostname-length | The file contains URLs pointing to domains that are unusually long |
| uri-interesting-file | The file contains URLs that point to interesting files or file extensions |
| uri-ip-address | The file contains URLs pointing to webservers hosted on IP addresses |
| uri-malicious-redirect | The file contains URLs that redirect to malicious domains |
| uri-malware-regex | The file contains URLs that match a known malware regex pattern |
| uri-onion-website | The file contains URLs pointing to domains hosted on TOR network |
| uri-open-redirect | The file contains URLs that redirect to other domains |
| uri-path-length | The file contains URLs pointing to paths that are unusually long |
| uri-path-spoofed | The file contains URLs that point to a known sign-in path but don't reside on the trusted domain |
| uri-placeholder | The file contains URLs with placeholder values for access credentials |
| uri-placeholder-known | The file contains URLs with placeholder values for access credentials |
| uri-restricted | The file contains URLs that were explicitly restricted by the user |
| uri-sanctioned-eu | The file contains URLs of domains hosted in regions with EU sanctions |
| uri-sanctioned-us | The file contains URLs of domains hosted in regions with US sanctions |
| uri-security-website | The file contains URLs related to security product vendors |
| uri-shortened | The file contains shortened URLs |
| uri-subdomain-count | The file contains URLs pointing to paths that contain excessive number of subdomains |
| uri-suspicious-path | The file contains URLs that contain a suspicious path section |
| uri-suspicious-port | The file contains URLs that utilize non-standard ports for the specified protocol |
| uri-suspicious-query | The file contains URLs that include suspicious SQL query commands |
| uri-suspicious-tld | The file contains URLs pointing to domains hosted on suspicious TLDs |
Behavior tags - describe behavior of executables, documents, scripts, and mobile applications
| behavior-registry | The file can access or alter registry settings |
| behavior-copy | The file can copy or move other files |
| behavior-rename | The file can rename or move other files |
| behavior-process-start | The file can start a process or launch an action |
| behavior-shortcut | The file can create a shortcut to an existing file, application, or a command |
| behavior-remove | The file can remove other files |
| behavior-edit-ini | The file can access or modify system configuration |
| behavior-uri | The file can open or reference a URI |
| bidirectional-text | The file contains special unicode characters that influence text display order |
| account-settings-tamper | The file can tamper with user account settings |
| autorun | The file can tamper with autorun settings (e.g. autorun registry keys, autorun locations) |
| av-disable | The file can disable services related to security products |
| av-impersonate | The file can impersonate services related to security products |
| av-service-detect | The file can detect services related to security products |
| av-tamper | The file can tamper with services related to security products |
| backup-tamper | The file can tamper with backup (e.g. erases backup copies, tampers with backup settings) |
| bitlocker-tamper | The file can tamper with BitLocker settings |
| data-exfiltration | The file can exfiltrate various data (e.g. stored credentials, mailbox files, configuration data) |
| dns-tamper | The file can tamper with DNS configuration |
| dns-use | The file can use the DNS protocol (e.g. issues DNS queries, locates network services) |
| file-download | The file has the capability to download files |
| file-overwrite | The file will be overwritten by other files that share the same file path |
| file-upload | The file has the capability to upload files |
| firewall-tamper | The file can tamper with firewall settings |
| ftp-use | The file can use the FTP protocol (e.g. to upload files, to download files) |
| hosts-modifier | The file can tamper with hosts file or registry keys |
| impersonate-native | The file can impersonate native services (e.g. impersonates Windows Explorer) |
| irc-use | The file can use the IRC communication protocol |
| log-tamper | The file can tamper with logging configuration or log files |
| netntlm-hash-leak | The file contains references to SMB resources that leak NetNTLM hashes |
| network-settings-tamper | The file can tamper with network settings |
| nfs-tamper | The file can tamper with NFS settings |
| privacy-intrusion | The file has indicators related to privacy intrusion (e.g. takes screenshots, monitors users input) |
| privilege-escalation | The file has the capability to elevate user privileges |
| process-injection | The file has the capability to write into other processes |
| process-termination | The file can terminate other processes |
| proxy | The file can access or modify proxy settings |
| registry-tamper | The file can tamper with the registry |
| security-settings-tamper | The file can tamper with various security settings (e.g. security or audit policies) |
| service-disable | The file can disable services |
| smb-tamper | The file can tamper with the SMB protocol |
| startup-tamper | The file can tamper with startup settings (e.g. Windows bootup process) |
| storage-settings-tamper | The file can tamper with storage settings |
| storage-tamper | The file can tamper with external storage |
| uac-bypass | The file can bypass User Account Control |
| update-disable | The file can disable update services |
| virtualization-settings-tamper | The file can tamper with virtualization settings |
| vpn-tamper | The file can tamper with VPN settings |
| vpn-use | The file has the capability to use VPN |
| web-request | The file has the capability to generate web requests |
| wmi-use | The file can use Windows Management Instrumentation (WMI) |
Application-related tags - apply only to files with application metadata (PE, ELF, OSX, DEX, …)
| arch-mips | The file's target CPU architecture is MIPS |
| arch-powerpc | The file's target CPU architecture is PowerPC |
| arch-sparc | The file's target CPU architecture is SPARC |
| arch-x86 | The file's target CPU architecture is x86 |
| arch-x86-64 | The file's target CPU architecture is x86-64 |
| arch-arm-64 | The file's target CPU architecture is ARM64 |
| arch-arm | The file's target CPU architecture is ARM |
| codeview | The application has debugging symbols metadata |
| cui | The application uses Console User Interface subsystem (applies to PE files) |
| force-integrity | The file has integrity protection checks that prevent execution on change |
| gui | The application uses Graphical User Interface subsystem (applies to PE files) |
| installer | The file is an installer package |
| installer-plugin | The file is used only temporarily to provide additional functionality during the installation procedure |
| library-ad | The application contains advertising-related libraries (e.g. Adfonic) |
| library-analytics | The application contains advertising and usage analytics-related libraries (e.g. Google Analytics) |
| library-audio | The application contains audio playback related libraries (e.g. Vorbis) |
| library-browser | The application contains browser-related libraries |
| library-cloud | The application contains cloud networking-related libraries (e.g. Dropbox) |
| library-compression | The application contains compression-related libraries (e.g. Zip) |
| library-crypto | The application contains cryptography-related libraries (e.g. OAuth) |
| library-database | The application contains database-related libraries (e.g. MySQL) |
| library-development | The application contains development-related libraries |
| library-driver | The application contains driver-related libraries |
| library-educational | The application contains education-related libraries |
| library-email | The application contains email-related libraries |
| library-entertainment | The application contains entertainment-related libraries |
| library-gaming | The application contains gaming-related libraries |
| library-graphics | The application contains drawing or rendering libraries (e.g. Unity) |
| library-messaging | The application contains network messaging-related libraries (e.g. RabbitMQ) |
| library-multimedia | The application contains multimedia-related libraries (e.g. Amazon Game Circle) |
| library-networking | The applications contains network communication-related libraries (e.g. curl) |
| library-productivity | The application contains productivity-related libraries |
| library-security | The application contains security-related libraries |
| library-social | The application contains social networking-related libraries (e.g. Facebook) |
| library-utility | The application contains programming utility libraries (e.g. ICU) |
| library-virtualization | The application contains virtualization-related libraries |
| lolbin | The file was identified as a LoLBin (living-off-the-land binary) |
| loldriver | The file was identified as a LoLDriver (living-off-the-land driver) |
| pe-bad-checksum | The executable header checksum does not match the application contents |
| plugin | The application is plugin for particular software |
| protection-aslr | The file has the Address Space Layout Randomisation exploit protection enabled |
| protection-dep | The file has the Data Execution Prevention exploit protection enabled |
| protection-ehc | The file has the Exception Handling Continuation exploit protection enabled |
| protection-cfg | The file has the Control Flow Guard exploit protection enabled |
| protection-cpy | The file has the safe memory copy protection enabled |
| protection-ret | The file has the Retpoline exploit protection enabled |
| protection-rfg | The file has the Return Flow Guard exploit protection enabled |
| protection-mpx | The file has the Intel Memory Protection guard enabled |
| protection-xfg | The file has the Extreme Flow Guard exploit protection enabled |
| protection-cet | The file has the Intel Control-Flow Enforcement Technology guard enabled |
| protection-sdl | The file has been compiled to follow the Secure Development Lifecycle guidelines |
| protection-scg | The file has the Static cast guard protection enabled |
| protection-seh | The file has safe exception handling protection enabled |
| protection-stack | The file has buffer overrun exploit protection enabled |
| packed | The application is packed with a known packer (e.g. with UPX) |
| rich-header | The application has rich header metadata (applies to PE files) |
| reproducible-build | The application has been compiled in a reproducible way which invalidates all timestamps |
| sfx | The file is a self-extracting archive (an application that embeds an archive) |
| taggant | The application has Taggant-related metadata |
| tool-hacktool | The application is used to assist hacking |
| tool-steganography | The application has steganography capabilities |
| uefi | The application is designed for the UEFI subsystem (applies to PE files) |
| uninstaller | The application is uninstaller for particular software |
| unsupported-application | The application is deprecated and no longer supported by vendor |
| updater | The application is updater for particular software |
| version-info | The application has version information metadata |
| vulnerable-with-cve | The application has vulnerability with assigned CVE |
| vulnerable-without-cve | The application has vulnerability without assigned CVE |
| xbox | The application is designed for the XBOX subsystem (applies to PE files) |
Mobile-related tags - apply only to mobile applications
| android-cupcake | The mobile application uses the Android API level 3 |
| android-donut | The mobile application uses the Android API level 4 |
| android-eclair | The mobile application uses the Android API levels 5 to 7 |
| android-froyo | The mobile application uses the Android API level 8 |
| android-gingerbread | The mobile application uses the Android API levels 9 to 10 |
| android-honeycomb | The mobile application uses the Android API levels 11 to 13 |
| android-ice-cream-sandwich | The mobile application uses the Android API levels 14 to 15 |
| android-jelly-bean | The mobile application uses the Android API levels 16 to 18 |
| android-kitkat | The mobile application uses the Android API levels 19 to 20 |
| android-lollipop | The mobile application uses the Android API levels 21 to 22 |
| android-marshmallow | The mobile application uses the Android API level 23 |
| android-nougat | The mobile application uses the Android API levels 24 to 25 |
| android-oreo | The mobile application uses the Android API levels 26 to 27 |
| android-pie | The mobile application uses the Android API level 28 |
| android-10 | The mobile application uses the Android API level 29 |
| android-11 | The mobile application uses the Android API level 30 |
| mobile | The file appears to be a mobile application (e.g. Android APK or Windows Phone applications) |
| mobile-custom-permissions | The mobile application has user-defined permissions |
| mobile-data-access | The mobile application can read and write to the external storage on the device |
| mobile-deprecated | The mobile application can abuse permissions from deprecated APIs |
| mobile-gps | The mobile application can access location services |
| mobile-infostealer | The mobile application can access and read information such as call logs, contacts, calendars... |
| mobile-logging | The mobile application can read and modify call logs |
| mobile-settings | The mobile application can change system settings on the device |
| mobile-sms | The mobile application can read, write, or receive SMS messages |
| mobile-telco | The mobile application can access and use the telecom connection service |
| mobile-voicemail | The mobile application can access and send voicemail messages |
Malware tags - identify malware types and refer to other malware metadata
| backdoor | The malware was identified as a backdoor |
| c2 | The malware has an embedded malware/data configuration (e.g. C2 info or mutex) |
| custom-packed | The file appears to be packed with a custom packer |
| downloader | The malware was identified as a downloader |
| keylogger | The malware was identified as a keylogger |
| pos | The malware was identified as a point-of-sale malware |
| ransomware | The malware was identified as ransomware |
| threat-hunting-npm | The file is similar to known malicious packages published on NPM repository |
| threat-hunting-pypi | The file is similar to known malicious packages published on PyPI repository |
Packer tags - refer to packer-related metadata
| antidebugging | The file uses anti-debugging techniques |
| antidumping | The file uses anti-dumping techniques |
| antiemulation | The file uses anti-emulation techniques |
| antisandbox | The file uses anti-sandbox techniques |
| antitracing | The file uses anti-tracing techniques |
| fake-signature | The file uses fake signatures to thwart signature-based identification |
| import-elimination | The packed file eliminates or has eliminated its import information |
| import-redirection | The packed file redirects imports to make unpacking harder |
| pe-compression | The file has a compressed payload/configuration |
| pe-encryption | The file has an encrypted payload/configuration |
| pe-encryption-rc4 | The file uses RC4 to encrypt the payload/configuration |
| pe-encryption-tea | The file uses TEA to encrypt the payload/configuration |
| polymorphic | The file was packed with a polymorphic packer |
| remove-ep | The packed file has a stolen original entry point |
| remove-header | The packed file removes the PE header during unpacking to make unpacking harder |
| tamper-protection | The file checks for signs of modification to make unpacking harder |
Browser tags - refer to browser-related metadata
| brave-reference | The file contains references to Brave or Brave-related data (e.g. accesses settings, contains Brave user agent strings) |
| chrome-reference | The file contains references to Chrome or Chrome-related data (e.g. accesses settings, contains Chrome user agent strings) |
| chrome-tamper | The file can tamper with Chrome or Chrome-related settings (e.g. performs process injection into the Chrome executable) |
| chromium-reference | The file contains references to Chromium or Chromium-related data (e.g. accesses settings, contains Chromium user agent strings) |
| chromium-tamper | The file can tamper with Chromium or Chromium-related settings (e.g. performs process injection into the Chromium executable) |
| edge-reference | The file contains references to Microsoft Edge or Microsoft Edge-related data (e.g. accesses settings, contains Microsoft Edge user agent strings) |
| firefox-reference | The file contains references to Firefox or Firefox-related data (e.g. accesses settings, contains Firefox user agent strings) |
| firefox-tamper | The file can tamper with Firefox or Firefox-related settings (e.g. performs process injection into the Firefox executable) |
| internet-explorer-reference | The file contains references to Internet Explorer or Internet Explorer-related data (e.g. accesses settings, contains Internet Explorer user agent strings) |
| internet-explorer-tamper | The file can tamper with Internet Explorer or Internet Explorer-related settings (e.g. performs process injection into the Internet Explorer executable) |
| netscape-reference | The file contains references to Netscape or Netscape-related data (e.g. accesses settings, contains Netscape user agent strings) |
| netscape-tamper | The file can tamper with Netscape or Netscape-related settings (e.g. performs process injection into the Netscape executable) |
| opera-reference | The file contains references to Opera or Opera-related data (e.g. accesses settings, contains Opera user agent strings) |
| opera-tamper | The file can tamper with Opera or Opera-related settings (e.g. performs process injection into the Opera executable) |
| safari-reference | The file contains references to Safari or Safari-related data (e.g. accesses settings, contains Safari user agent strings) |
| safari-tamper | The file can tamper with Safari or Safari-related settings (e.g. performs process injection into the Safari executable) |
| seamonkey-reference | The file contains references to SeaMonkey or SeaMonkey-related data (e.g. accesses settings, contains SeaMonkey user agent strings) |
| vivaldi-reference | The file contains references to Vivaldi or Vivaldi-related data (e.g. accesses settings, contains Vivaldi user agent strings) |
| waterfox-reference | The file contains references to Waterfox or Waterfox-related data (e.g. accesses settings, contains Waterfox user agent strings) |
| yandex-reference | The file contains references to Yandex or Yandex-related data (e.g. accesses settings, contains Yandex user agent strings) |
Classification tags - apply only to classified files
| cert-blacklisted | The file was digitally signed with a blacklisted certificate |
| cert-whitelisted | The file was digitally signed with a whitelisted certificate |
| cloud | The file was classified by ReversingLabs Malware Presence (e.g. the hash is a well-known threat) |
| sandbox | The file was classified by ReversingLabs Cloud Sandbox (e.g. the hash is a well-known threat) |
| exploit | The file was classified by Spectra Core exploit detection from an unpacker or a validator (e.g. RTF) |
| graylisting | The file was classified by graylisting (e.g. an archive containing only text files) |
| hierarchy-analyzer | The file was classified by Spectra Core file hierarchy analysis (e.g. embedded executables within a document format) |
| image-analyzer | The file was classified by Spectra Core image analyzer (e.g. suspicious data was found within an image) |
| ricc | The file was classified by Spectra Core RICC (e.g. RHA classification, RICC rule classifications) |
| signature | The file was classified by Spectra Core signature |
| antivirus | The file was classified by an AntiVirus component |
| ng-antivirus | The file was classified by a NextGen AntiVirus component |
| yara | The file was classified by a YARA rule |
Capability tags - refer to capabilities of executables, documents, and mobile applications
| capability-advertising | The file has advertising-related capabilities (e.g. AdMob) - applies to documents and mobile formats |
| capability-bluetooth | The file can use Bluetooth to communicate with other devices - mobile-specific tag |
| capability-camera | The file has access to the camera - applies to documents and mobile formats |
| capability-cryptography | The file has cryptography-related capabilities (e.g. it can encrypt or hash data and files) |
| capability-deprecated | The file uses deprecated APIs |
| capability-embeds | The file has other files embedded within (e.g. an iframe or an OLE object) - document-specific tag |
| capability-execution | The file has execution-related capabilities (e.g. an application can spawn new processes or threads) |
| capability-filesystem | The file has filesystem-related capabilities (e.g. it can open and read files) |
| capability-identification | The file has access to user or device identity - mobile-specific tag |
| capability-microphone | The file has access to the microphone - applies to documents and mobile formats |
| capability-networking | The file has networking-related capabilities (e.g. it can open a socket and send/receive data) |
| capability-nfc | The file can use Near Field Communication (NFC) to communicate with other devices - mobile-specific tag |
| capability-scripting | The file uses a scripting language (e.g. a document contains and uses macros) - document-specific tag |
| capability-security | The file has security-related capabilities |
| capability-social | The file has access to social components or providers (e.g. Facebook) - applies to documents and mobile formats |
| capability-undocumented | The file uses undocumented functions |
| capability-vpn | The file can access VPNs - mobile-specific tag |
| capability-wallet | The file has access to user's wallet - mobile-specific tag |
Indicator tags - refer to indicators found in executables, documents, scripts, and mobile applications
An indicator tag will be emitted by Spectra Core only if the priority of a particular indicator is not low (i.e. priority > 3).
| indicator-anomaly | The file contains unusual characteristics (e.g. contains known whitelisted executable filenames) |
| indicator-autostart | The file tampers with autostart settings (e.g. tampers with autorun locations) |
| indicator-behavior | The file automatically executes activities as a user (e.g. changes username or password, prints a document) |
| indicator-disable | The file disables system services (e.g. tampers with Windows Update) |
| indicator-document | The file exhibits unusual activities when handling documents (e.g. PDF that creates new documents) |
| indicator-evasion | The file tries to evade common debuggers, sandboxes or analysis tools (e.g. VM environment detection) |
| indicator-execution | The file creates other processes or starts other applications (e.g. creates a service, installs system drivers) |
| indicator-exploit | The file contains known exploits against the system |
| indicator-family | The file is associated with known malicious families |
| indicator-file | The file accesses other files on the filesystem in an unusual way (e.g. creates a cryptographic hash of file contents) |
| indicator-flow | The file leaks sensitive information to external hosts or creates new files with sensitive data (e.g. exports PDF form fields to files) |
| indicator-macro | The file contains or executes macro functions or scripts (e.g. contains UNIX shell scripts, executes actions associated with bookmarks) |
| indicator-memory | The file tampers with memory of foreign processes (e.g. does process injection) |
| indicator-monitor | The file has the ability to monitor host activities (e.g. accesses a list of logged on users) |
| indicator-network | The file has network-related indicators (e.g. downloads a file, tampering with DNS settings) |
| indicator-packer | The file contains obfuscated or encrypted code or data (e.g. base64 encoded streams) |
| indicator-payload | The file extracts and launches new behavior in an unusual way (e.g. injects CSS into a page) |
| indicator-permissions | The file tampers with or request additional permissions for execution (e.g. tampers with user/account privileges) |
| indicator-registry | The file accesses registry and configuration files in an unusual way (e.g. tampers with Windows registry settings) |
| indicator-search | The file enumerates or collects information from a system (e.g. enumerates network shares or mounted drives) |
| indicator-settings | The file accesses or tampers with system settings (e.g. enumerates system information) |
| indicator-signature | The file matches a known signature (e.g. contains known compression libraries, HTTP header fields) |
| indicator-steal | The file steals and leaks sensitive information (e.g. accesses Outlook account information and address book) |
| indicator-stealth | The file tries to hide its presence (e.g. tampers with window transparency settings, tampers with firewall settings) |
String tags - related to Spectra Core interesting strings
| string-file | The file contains interesting strings related to the file URI scheme |
| string-scp | The file contains SCP-related interesting strings |
| string-callto | The file contains interesting strings related to the CallTo communication protocol |
| string-h323 | The file contains interesting strings related to the H.323 multimedia communication protocol |
| string-webcal | The file contains interesting strings related to iCalendar files |
| string-ftp | The file contains FTP-related interesting strings |
| string-http | The file contains HTTP-related interesting strings |
| string-https | The file contains HTTPS-related interesting strings |
| string-mailto | The file contains mailto-related interesting strings |
| string-sftp | The file contains SFTP-related interesting strings |
| string-sip | The file contains SIP-related interesting strings |
| string-ssh | The file contains SSH-related interesting strings |
| string-telnet | The file contains Telnet-related interesting strings |
Compression and crypto tags - related to identified compression and crypto content
| compression-aplib | The file has content related to APLib compression algorithm |
| compression-asdpack | The file has content related to ASDPack compression algorithm |
| compression-aspack | The file has content related to ASPack compression algorithm |
| compression-brieflz | The file has content related to BriefLZ compression algorithm |
| compression-brotli | The file has content related to Brotli compression algorithm |
| compression-bzip2 | The file has content related to BZip2 compression algorithm |
| compression-deflate | The file has content related to Deflate compression algorithm |
| compression-dicky | The file has content related to Dicky compression algorithm |
| compression-ffce | The file has content related to FFCE compression algorithm |
| compression-gipfeli | The file has content related to Gipfeli compression algorithm |
| compression-gzip | The file has content related to GZip compression |
| compression-inflate | The file has content related to Inflate compression algorithm |
| compression-jcalg | The file has content related to JCAlg compression algorithm |
| compression-lz4 | The file has content related to LZ4 compression algorithm |
| compression-lzbrs | The file has content related to LZBRS compression algorithm |
| compression-lzfse | The file has content related to LZFSE compression algorithm |
| compression-lzhuf | The file has content related to LZHUF compression algorithm |
| compression-lzma | The file has content related to LZMA compression algorithm |
| compression-lzmat | The file has content related to LZMAT compression algorithm |
| compression-lznt | The file has content related to LZNT compression algorithm |
| compression-lzo | The file has content related to LZO compression algorithm |
| compression-lzrw | The file has content related to LZRW compression algorithm |
| compression-lzss | The file has content related to LZSS compression algorithm |
| compression-ncompress42 | The file has content related to Ncompress42 compression algorithm |
| compression-neolite | The file has content related to NeoLite compression algorithm |
| compression-nrv | The file has content related to NRV compression algorithm |
| compression-pithy | The file has content related to Pithy compression algorithm |
| compression-pkzip | The file has content related to PKZIP compression algorithm |
| compression-pucrunch | The file has content related to Pucrunch compression algorithm |
| compression-snappy | The file has content related to Snappy compression algorithm |
| compression-unlzx | The file has content related to UnLZX compression algorithm |
| compression-unrarlib | The file has content related to unrarlib compression algorithm |
| compression-zip | The file has content related to Zip compression |
| compression-zlib | The file has content related to Zlib compression algorithm |
| compression-zstd | The file has content related to Zstd compression algorithm |
| crypto-acss | The file has content related to ACSS algorithm |
| crypto-adler-crc32 | The file has content related to Adler-32 algorithm |
| crypto-base32 | The file has content related to Base32 algorithm |
| crypto-base64 | The file has content related to Base64 algorithm |
| crypto-base64url | The file has content related to Base64URL algorithm |
| crypto-bcrypt | The file has content related to BCrypt algorithm |
| crypto-bhencode | The file has content related to Bhencode algorithm |
| crypto-blake | The file has content related to Blake algorithm |
| crypto-blowfish | The file has content related to Blowfish algorithm |
| crypto-bmw512 | The file has content related to BMW-512 algorithm |
| crypto-botan | The file has content found in Botan cryptography library |
| crypto-camellia | The file has content related to Camellia algorithm |
| crypto-cast | The file has content related to CAST algorithm |
| crypto-cast256 | The file has content related to CAST-256 algorithm |
| crypto-clefia | The file has content related to CLEFIA algorithm |
| crypto-collision | The file contains blocks used in SHA-1 collision attacks |
| crypto-crc32 | The file has content related to CLEFIA algorithm |
| crypto-cryptlib | The file has content found in Cryptlib cryptography library |
| crypto-cryptopp | The file has content found in Cryptopp (Crypto++) cryptography library |
| crypto-des | The file has content related to DES algorithm |
| crypto-desx | The file has content related to DESX algorithm |
| crypto-dsa | The file has content related to Digital Signature Algorithm (DSA) |
| crypto-ecc | The file has content related to Elliptic-curve cryptography (ECC) |
| crypto-frog | The file has content related to FROG algorithm |
| crypto-gnupg | The file has content found in GnuPG cryptography library |
| crypto-gnutls | The file has content found in GnuTLS cryptography library |
| crypto-gost | The file has content related to GOST algorithm |
| crypto-haval | The file has content related to HAVAL algorithm |
| crypto-hmac | The file has content related to HMAC algorithm |
| crypto-ike | The file has content related to Internet Key Exchange (IKE) |
| crypto-kasumi | The file has content related to KASUMI algorithm |
| crypto-keccak | The file has content related to Keccak algorithm |
| crypto-mars | The file has content related to MARS algorithm |
| crypto-md2 | The file has content related to MD2 algorithm |
| crypto-md4 | The file has content related to MD4 algorithm |
| crypto-md5 | The file has content related to MD5 algorithm |
| crypto-md5mac | The file has content related to MD5-MAC algorithm |
| crypto-misty1 | The file has content related to Misty1 algorithm |
| crypto-misty2 | The file has content related to Misty2 algorithm |
| crypto-nacl | The file has content found in NaCl cryptography libray |
| crypto-nettle | The file has content found in Nettle cryptography library |
| crypto-noekeon | The file has content related to NOEKEON algorithm |
| crypto-nss | The file has content found in NSS cryptography library |
| crypto-nush | The file has content related to NUSH algorithm |
| crypto-openbsd-base64 | The file has content related to OpenBSD Base64 algorithm |
| crypto-openssl | The file has content found in OpenSSL cryptography library |
| crypto-pbkdf2 | The file has content related to PBKDF2 algorithm |
| crypto-pkcs | The file has content related to Public Key Cryptography Standards (PKCS) |
| crypto-rawdes | The file has content related to RawDES algorithm |
| crypto-rc2 | The file has content related to RC2 algorithm |
| crypto-rc4 | The file has content related to RC4 algorithm |
| crypto-rijndael | The file has content related to AES (Rijandel) algorithm |
| crypto-ripemd128 | The file has content related to RIPEMD-128 algorithm |
| crypto-ripemd160 | The file has content related to RIPEMD-160 algorithm |
| crypto-ripemd160mac | The file has content related to RIPEMD-160-MAC algorithm |
| crypto-ripemd256 | The file has content related to RIPEMD-256 algorithm |
| crypto-ripemd320 | The file has content related to RIPEMD-320 algorithm |
| crypto-rsa | The file has content related to RSA algorithm |
| crypto-rtss | The file has content related to Robust Threshold Secret Sharing (RTSS) |
| crypto-safer | The file has content related to SAFER algorithm |
| crypto-salsa20 | The file has content related to Salsa20 algorithm |
| crypto-seed | The file has content related to SEED algorithm |
| crypto-serpent | The file has content related to Serpent algorithm |
| crypto-sha1 | The file has content related to SHA-1 algorithm |
| crypto-sha1mac | The file has content related to SHA-1-MAC algorithm |
| crypto-sha224 | The file has content related to SHA-224 algorithm |
| crypto-sha224mac | The file has content related to SHA-224-MAC algorithm |
| crypto-sha256 | The file has content related to SHA-256 algorithm |
| crypto-sha256mac | The file has content related to SHA-256-MAC algorithm |
| crypto-sha3-224mac | The file has content related to SHA3-224-MAC algorithm |
| crypto-sha3-256mac | The file has content related to SHA3-256-MAC algorithm |
| crypto-sha3-384mac | The file has content related to SHA3-384-MAC algorithm |
| crypto-sha3-512mac | The file has content related to SHA3-512-MAC algorithm |
| crypto-sha384 | The file has content related to SHA-384 algorithm |
| crypto-sha384mac | The file has content related to SHA-384-MAC algorithm |
| crypto-sha512 | The file has content related to SHA-512 algorithm |
| crypto-sha512mac | The file has content related to SHA-512-MAC algorithm |
| crypto-shark | The file has content related to Shark algorithm |
| crypto-siphash | The file has content related to SipHash algorithm |
| crypto-skein | The file has content related to Skein algorithm |
| crypto-skipjack | The file has content related to Skipjack algorithm |
| crypto-sms4 | The file has content related to SMS4 algorithm |
| crypto-sosemanuk | The file has content related to Sosemanuk algorithm |
| crypto-square | The file has content related to Square algorithm |
| crypto-tiger | The file has content related to Tiger algorithm |
| crypto-tripledes | The file has content related to TripleDES algorithm |
| crypto-turing | The file has content related to Turing algorithm |
| crypto-twofish | The file has content related to Twofish algorithm |
| crypto-unicorn | The file has content related to Unicorn algorithm |
| crypto-uuencode | The file has content related to UUencode algorithm |
| crypto-wake | The file has content related to Wake algorithm |
| crypto-whirlpool | The file has content related to Whirlpool algorithm |
| crypto-x509 | The file has content related to X.509 standard |
| crypto-xxencode | The file has content related to XXencode algorithm |
Email specific tags - related to email content
| disposable-email | Email is hosted by a service that offers disposable email addresses |
| email-deceptive-sender | The display name of one of the senders contains a string resembling an email address with a domain different from the specified email address |
| email-returnpath-mismatch | The "Return-Path" header contains an email address with a domain that is different from the domain of the sender |
| email-replyto-mismatch | The "Reply-To" header contains an email address with a domain that is different from the domain of the sender |
| email-sender-mismatch | The "Sender" header contains an email address with a domain that is different from the domain specified in the "From" header |
| email-envelopefrom-mismatch | The "X-Envelope-From" header contains an email address with a domain that is different from the domain of the sender |
| email-receivedtime-mismatch | The "Date" header indicates a time that is in the future or more than 1 hour before the time specified in the "Received" header |
| email-spf-fail | Headers indicate that the SPF (Sender Policy Framework) check has failed |
| email-dkim-fail | Headers indicate that the DKIM (Domain Keys Identified Mail) check has failed |
| email-dmarc-fail | Headers indicate that the DMARC (Domain-based Message Authentication, Reporting & Conformance) check has failed |
| email-pgp | Email is signed and/or encrypted using "Pretty Good Privacy" |
| email-smime | Email is signed and/or encrypted using "Secure/Multipurpose Internet Mail Extensions" |
| email-attachment | Email contains at least one attachment |
| email-deceptive-extension | Email attachment contains multiple extensions (eg. "file.doc.exe") |
| email-body-plain | Content of email body is available in plain text format |
| email-body-rtf | Content of email body is available in RTF format |
| email-body-html | Content of email body is available in HTML format |
| email-impersonation | The display name of one of the senders impersonates a popular service |
| email-signature-impersonation | Email contents impersonate an email commonly sent by a popular service |
| email-urgency | Email contains multiple phrases that imply a sense of urgency |
| email-sensitive-topic | Email contains multiple phrases related to sensitive topics |
| email-hidden-text | Email contains a hidden block of text designed to trick classification systems |
| email-subject-spam | Email subject contains phrases common to spam messages |
| email-subject-phishing | Email subject is commonly used in phishing messages |
| email-anonymous-provider | Email is sent using an anonymous email provider |
Format specific tags - apply only specific file formats
| html-frame | The HTML file contains one or more IFRAME tags |
| html-form | The HTML file contains one or more FORM tags |
| html-input | The HTML file contains one or more INPUT tags |
| html-password | The HTML file contains one or more tags with the "password" attribute |
| html-image | The HTML file contains one or more IMAGE tags |
| html-canvas | The HTML file contains one or more CANVAS tags |
| html-object | The HTML file contains any of the following tags: APPLET, AUDIO, EMBED, OBJECT, SOURCE, VIDEO |
| html-download | The HTML file contains one or more links with the "download" attribute |
| html-local-link | The HTML file contains one or more links to local files |
| html-tracking | The HTML file contains one or more tracking pixels |
| html-popup | The HTML file contains an A tag with target="_blank" attribute |
| html-wsffile | The HTML file contains an A tag with href="jsffile:..." or href="wsffile:..." or href="wsfhile:..." |
| font-embedded | The HTML file contains embedded fonts |
| deceptive-link | The HTML file contains potentially deceptive links |
| platform-unix | The quarantine file was created by a security solution running on a UNIX-like operating system |
| platform-windows | The quarantine file was created by a security solution running on the Microsoft Windows operating system |
| quarantine-manual | The quarantine file was added to the quarantine manually by a user, not as a result of an automatic detection by the security solution |
| quarantine-malicious-content | The quarantine file contains any number of remediated malicious content associated with a detected threat |
| quarantine-threat-metadata | The quarantine file contains metadata describing the antivirus specific threat which triggered the remediation |
| version-control-artifact | The file is part of a control structure for a version control repository (e.g. an index or revision data) |