InQuest Labs API v1.0.2
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
labs.inquest.net RESTful API
Base URLs:
Authentication
- API Key (authorization)
- Parameter Name: Authorization, in: header. Use of an API key on InQuest Labs is optional. However, without an API key, requests are rate limited to 1337 requests per day and you will not be able to download sample files.
DFI
DFI related operations.
/api/dfi/filters
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/filters \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/filters HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/filters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/filters',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/filters', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/filters', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/filters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/filters", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/filters
Regex filters for DFI layers.
Various filters to highlight or mask content from DFI layers.
Example responses
200 Response
{
"success": true,
"data": {
"embedded-logic": [
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Filter Benign Lines",
"value": "^((?!(rem|attribute|dim|\\s*'|\\s*on error|end (sub|function))).)*$"
},
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Highlight Functions and Calls",
"value": "(^|\\n|\\s*)[.(\\s][A-Za-z0-9_]+\\s*\\("
},
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Highlight Line Continuations",
"value": "_$"
},
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Highlight String Operations",
"value": "\\b(cstr|format|instr|instrrev|join|lcase|left|len|like|ltrim|mid|replace|right|rtrim|split|str|strcomp|strconv|string|strreverse|trim|ucase|val)\\b"
},
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Highlight Subroutine Definitions",
"value": "(^|\\n)\\s*(private\\s*|public\\s*)?(function|sub)[\\s_]*"
},
{
"is_case_sensitive": false,
"is_regex": true,
"title": "Macro: Highlight Suspicious Lines",
"value": "\\b(call|cmd|concat|create|createobject|download|environ|exec|eval|function|hidden|install|open|shell|run|start|write|xor)\\b"
}
]
}
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | The DFI filters. |
| »» embedded-logic | [DFIFilter] | true | none | [A rule used by DFI for matching content.] |
| »»» is_case_sensitive | boolean | true | none | True if the rule is case sensitive, otherwise False. |
| »»» is_regex | boolean | true | none | True if the rule is a regular expression, otherwise False. |
| »»» title | string | true | none | The name of the rule. |
| »»» value | string | true | none | The rule to apply. |
/api/dfi/search/alert
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/search/alert?title=Analysis%20Evasion%20Strings \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/search/alert?title=Analysis%20Evasion%20Strings HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/search/alert?title=Analysis%20Evasion%20Strings',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/search/alert',
params: {
'title' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/search/alert', params={
'title': 'Analysis Evasion Strings'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/search/alert', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/search/alert?title=Analysis%20Evasion%20Strings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/search/alert", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/search/alert
Search DFI by Alert.
Search the DFI results by a single alert title.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| title | query | string | true | The |
Example responses
200 Response
{
"success": true,
"data": [
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:11 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "fb66ad2d748d6ff30bdfbb15fc42ee8386772702b3bfef5317b99c8fcdcc6059",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 9,
"vt_weight": 2.700000047683716
},
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
]
}
Bad Request
{
"success": false,
"data": [],
"error": "The 'title' parameter was not recognized."
}
{
"success": false,
"data": [],
"error": "The 'title' parameter contained invalid characters."
}
{
"success": false,
"data": [],
"error": "The 'title' parameter was not recognized."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [DFIResult] | true | none | The matching DFI results. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» mime_type | string | false | none | The MIME type of the file. |
| »» sha_256 | string | false | none | The SHA256 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/search/ext/{source}
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/search/ext/{source}?keyword=End%20Sub \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/search/ext/{source}?keyword=End%20Sub HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/search/ext/{source}?keyword=End%20Sub',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/search/ext/{source}',
params: {
'keyword' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/search/ext/{source}', params={
'keyword': 'End Sub'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/search/ext/{source}', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/search/ext/{source}?keyword=End%20Sub");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/search/ext/{source}", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/search/ext/{source}
Search DFI by Extraction Layer.
Search the DFI results extraction layer and keyword, where keyword is a text fragment to search for and the extraction layer is one of the following below:
- ext_code - The Embedded Logic layer
- ext_context - The Semantic Text layer
- ext_ocr - The Semantic OCR text layer
- ext_metadata - The Extracted Metadata layer
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| source | path | string | true | The extraction layer to search. |
| keyword | query | string | true | none |
Detailed descriptions
source: The extraction layer to search. Valid values are ext_code, ext_context, ext_ocr, ext_metadata.
Enumerated Values
| Parameter | Value |
|---|---|
| source | ext_code |
| source | ext_context |
| source | ext_ocr |
| source | ext_metadata |
Example responses
200 Response
{
"success": true,
"data": [
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:11 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "fb66ad2d748d6ff30bdfbb15fc42ee8386772702b3bfef5317b99c8fcdcc6059",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 9,
"vt_weight": 2.700000047683716
},
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
]
}
Bad Request
{
"success": false,
"data": [],
"error": "The 'source' parameter must be one of ext_code, ext_context, ext_ocr, ext_metadata."
}
{
"success": false,
"data": [],
"error": "No search 'keyword' specified."
}
{
"success": false,
"data": [],
"error": "The 'keyword' parameter must be at least 4 bytes long."
}
{
"success": false,
"data": [],
"error": "The 'keyword' parameter can not contain percent (%), asterisk (*), or sequential underscores (__)."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [DFIResult] | true | none | The matching DFI results. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» mime_type | string | false | none | The MIME type of the file. |
| »» sha_256 | string | false | none | The SHA256 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/search/hash/{source}
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/search/hash/{source}?hash=string \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/search/hash/{source}?hash=string HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/search/hash/{source}?hash=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/search/hash/{source}',
params: {
'hash' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/search/hash/{source}', params={
'hash': 'string'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/search/hash/{source}', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/search/hash/{source}?hash=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/search/hash/{source}", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/search/hash/{source}
Search DFI by hash.
Search the DFI results by file hash, where the hash must conform to one of the following types:
- md5
- sha1
- sha256
- sha512
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| source | path | string | true | The hash type to search by. |
| hash | query | string | true | Hash to search by. |
Detailed descriptions
source: The hash type to search by. Valid values are md5, sha1, sha256, sha512.
Enumerated Values
| Parameter | Value |
|---|---|
| source | md5 |
| source | sha1 |
| source | sha256 |
| source | sha512 |
Example responses
200 Response
{
"success": true,
"data": [
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:11 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "fb66ad2d748d6ff30bdfbb15fc42ee8386772702b3bfef5317b99c8fcdcc6059",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 9,
"vt_weight": 2.700000047683716
},
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
]
}
Bad Request
{
"success": false,
"data": [],
"error": "The 'source' parameter must be one of md5, sha1, sha256, sha512."
}
{
"success": false,
"data": [],
"error": "No search 'hash' specified."
}
Server Error
{
"success": false,
"data": [],
"error": "Invalid MD5 hash supplied."
}
{
"success": false,
"data": [],
"error": "Invalid SHA1 hash supplied."
}
{
"success": false,
"data": [],
"error": "Invalid SHA256 hash supplied."
}
{
"success": false,
"data": [],
"error": "Invalid SHA512 hash supplied."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [DFIResult] | true | none | The matching DFI results. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» mime_type | string | false | none | The MIME type of the file. |
| »» sha_256 | string | false | none | The SHA256 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/search/ioc/{kind}
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/search/ioc/{kind}?keyword=exploit.co \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/search/ioc/{kind}?keyword=exploit.co HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/search/ioc/{kind}?keyword=exploit.co',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/search/ioc/{kind}',
params: {
'keyword' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/search/ioc/{kind}', params={
'keyword': 'exploit.co'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/search/ioc/{kind}', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/search/ioc/{kind}?keyword=exploit.co");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/search/ioc/{kind}", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/search/ioc/{kind}
Search DFI by IOC.
Search the DFI results by IOC, where IOC is one of the following:
- domain
- filename
- ip
- registry
- url
- xmpid
This endpoint is often used for pivoting to find files with an IOC that matches keyword.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| kind | path | string | true | The IOC kind to search for. |
| keyword | query | string | true | The IOC text to search for. |
Detailed descriptions
kind: The IOC kind to search for. The valid IOCs are domain, email, filename, ip, registry, url, and xmpid.
Enumerated Values
| Parameter | Value |
|---|---|
| kind | domain |
| kind | |
| kind | filename |
| kind | ip |
| kind | registry |
| kind | url |
| kind | xmpid |
Example responses
200 Response
{
"success": true,
"data": [
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:11 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "fb66ad2d748d6ff30bdfbb15fc42ee8386772702b3bfef5317b99c8fcdcc6059",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 9,
"vt_weight": 2.700000047683716
},
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
]
}
Bad Request
{
"success": false,
"data": [],
"error": "The 'kind' parameter must be one of domain, email, filename, ip, registry, url, or xmpid."
}
{
"success": false,
"data": [],
"error": "No search 'keyword' specified."
}
{
"success": false,
"data": [],
"error": "The 'keyword' parameter must be at least 4 bytes long."
}
{
"success": false,
"data": [],
"error": "The 'keyword' parameter can not contain percent (%), asterisk (*), or sequential underscores (__)."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [DFIResult] | true | none | The matching DFI results. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» mime_type | string | false | none | The MIME type of the file. |
| »» sha_256 | string | false | none | The SHA256 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/sources
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/sources \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/sources HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/sources',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/sources',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/sources', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/sources', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/sources");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/sources", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/sources
DFI sources.
List of DFI sources.
Example responses
200 Response
{
"success": true,
"data": {
"macro_hunter": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"maldoc_hunter": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/maldoc_hunter.rule",
"malpdf_hunter": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/malpdf_hunter.rule"
}
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | The DFI sources and links to their corresponding source code. |
/api/dfi/details
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/details?sha256=string \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/details?sha256=string HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/details?sha256=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/details',
params: {
'sha256' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/details', params={
'sha256': 'string'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/details', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/details?sha256=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/details", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/details
Retrieve file details.
Pull DFI details for a given file.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| sha256 | query | string | true | The SHA256 hash of the file to retrieve details of. |
Example responses
200 Response
{
"success": "string",
"data": {
"analysis_completed": true,
"classification": "MALICIOUS",
"ext_code": "string",
"ext_context": "string",
"ext_metadata": "string",
"ext_ocr": "string",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": true,
"inquest_alerts": [
{
"category": "suspicious",
"description": "Detected a macro that references a suspicious number of tersely named variables.",
"reference": "string",
"title": "Suspicious Document Variables"
}
],
"inquest_dfi_size": 598712,
"last_inquest_dfi": "Mon, 07 Sep 2020 23:48:40 GMT",
"last_inquest_featext": "Wed, 07 Sep 2020 23:49:43 GMT",
"last_updated": "Wed, 07 Sep 2020 23:49:43 GMT",
"len_code": 0,
"len_context": 106222,
"len_metadata": 1243,
"len_ocr": 0,
"malware_label": "sagent-docdl-htfcpy-emotet-classic-tioibekv-malware",
"md5": "69d263c0f6641150aa72f3777eb4ca81",
"mime_type": "application/vnd.ms-excel",
"sha1": "3d0d1c2f867259ebfb4674198ff7a4978a0a8520",
"sha256": "ac8ab2f4a2aa6a0ceec2743ce15d9e1ae9bf5827e78523e19215bea0c4a4c45b",
"sha512": "059c3a01a7c5b35be63959dfe0b9d71d58251613be3feec5bb82ff4e60c2f83bbb43e9cec44a981e980cb0b7133048c35f58b65f722741951a8328093f1d796d",
"size": 222208,
"subcategory": "maldoc_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/maldoc_hunter.rule",
"virus_total": "https://www.virustotal.com/gui/file/ac8ab2f4a2aa6a0ceec2743ce15d9e1ae9bf5827e78523e19215bea0c4a4c45b",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
}
Bad Request
{
"success": false,
"data": [],
"error": "Parameter 'sha256' is required."
}
{
"success": false,
"data": [],
"error": "Supplied 'sha256' value is not a valid hash."
}
Not Found
{
"success": false,
"data": [],
"error": "Analysis for 518a94661be4f9e85eec5e5bae4bdec4c6890a1883f25959a9507452b0f9c698 is still pending."
}
{
"success": false,
"data": [],
"error": "No DFI record found for 518a94661be4f9e85eec5e5bae4bdec4c6890a1883f25959a9507452b0f9c698."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 404 | Not Found | Not Found | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | DFIDetails | true | none | The detailed result of a DFI analysis. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» ext_code | string | false | none | The Embedded Logic extracted from the file. |
| »» ext_context | string | false | none | The Semantic Context extracted from the file. |
| »» ext_metadata | string | false | none | The Metadata extracted from the file. |
| »» ext_ocr | string | false | none | The Semantic OCR text extracted from the file. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» inquest_dfi_size | integer | false | none | The file size in bytes after DFI inspection. This size is typically larger than the file size due to converting binary content to text. |
| »» last_inquest_dfi | string | false | none | The last time the file was inspected by DFI. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» last_updated | string | false | none | The last time the file was updated. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» malware_label | string | false | none | The malware labels that apply to the file. |
| »» md5 | string | false | none | The MD5 hash of the file. |
| »» mime_type | string | false | none | The file MIME type. |
| »» sha1 | string | false | none | The SHA1 hash of the file. |
| »» sha256 | string | false | none | The SHA256 hash of the file. |
| »» sha512 | string | false | none | The SHA512 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» virus_total | string | false | none | The link to the file on Virus Total. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 404
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/details/attributes
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/details/attributes?sha256=string \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/details/attributes?sha256=string HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/details/attributes?sha256=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/details/attributes',
params: {
'sha256' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/details/attributes', params={
'sha256': 'string'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/details/attributes', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/details/attributes?sha256=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/details/attributes", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/details/attributes
Retrieve file attributes.
Pull attributes for a given file. An attribute is typically an IOC associated with the file.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| sha256 | query | string | true | The SHA256 hash of the file to retrieve details of. |
Example responses
200 Response
{
"success": "string",
"data": {
"attribute": "domain",
"category": "ioc",
"count": 3,
"value": "example.com"
}
}
Bad Request
{
"success": false,
"data": [],
"error": "Parameter 'sha256' is required."
}
{
"success": false,
"data": [],
"error": "Supplied 'sha256' value is not a valid hash."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | Attribute | true | none | An Attribute is an association, such as an IOC, that is made during DFI inspection. |
| »» attribute | ArtifactType | false | none | An artifact type such as domain, IP, or URL. |
| »» category | string | false | none | The attribute category, typically 'ioc' |
| »» count | integer | false | none | The number of occurrances of the IOC in the file. |
| »» value | string | false | none | The attribute value. |
Enumerated Values
| Property | Value |
|---|---|
| attribute | asn_num |
| attribute | domain |
| attribute | |
| attribute | filename |
| attribute | hash |
| attribute | ip |
| attribute | ipaddress |
| attribute | url |
| attribute | yarasignature |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/download
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/download?sha256=string \
-H 'Accept: application/octet-stream' \
-H 'Authorization: API_KEY'
GET https://labs.inquest.net/api/dfi/download?sha256=string HTTP/1.1
Host: labs.inquest.net
Accept: application/octet-stream
const headers = {
'Accept':'application/octet-stream',
'Authorization':'API_KEY'
};
fetch('https://labs.inquest.net/api/dfi/download?sha256=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/octet-stream',
'Authorization' => 'API_KEY'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/download',
params: {
'sha256' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/octet-stream',
'Authorization': 'API_KEY'
}
r = requests.get('https://labs.inquest.net/api/dfi/download', params={
'sha256': 'string'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/octet-stream',
'Authorization' => 'API_KEY',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/download', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/download?sha256=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/octet-stream"},
"Authorization": []string{"API_KEY"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/download", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/download
Download sample.
Retrieve the file sample. If the optional encrypt_download flag is set to True, then the file will be returned in an zip archive encrypted with the password 'infected'. Note: If using InQuest Labs without an API key, you will not be able to download files and will receive a 500 status code.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| sha256 | query | string | true | none |
| encrypt_downloads | query | boolean | false | none |
Example responses
200 Response
Bad Request
{
"success": false,
"data": [],
"error": "Parameter 'sha256' is required."
}
{
"success": false,
"data": [],
"error": "Supplied 'sha256' value is not a valid hash."
}
Server Error
{
"success": false,
"data": [],
"error": "Open downloads disabled due to abuse. Sorry, we tried. Contact us via email letting us know who you are and what you're working on and we'll generate an API for you key."
}
{
"success": false,
"data": [],
"error": "No DFI record found for 518a94661be4f9e85eec5e5bae4bdec4c6890a1883f25959a9507452b0f9c698"
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | The sample file. | string |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/dfi/list
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/list \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/list HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/list',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/list',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/list', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/list', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/list");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/list", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/list
List of DFI results.
Lists all DFI results starting with the most recent. Note: The maximum number of returned results is 1337.
Example responses
200 Response
{
"success": true,
"data": [
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:11 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "fb66ad2d748d6ff30bdfbb15fc42ee8386772702b3bfef5317b99c8fcdcc6059",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 9,
"vt_weight": 2.700000047683716
},
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": false,
"inquest_alerts": [],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [DFIResult] | true | none | The matching DFI results. |
| »» analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| »» classification | Classification | false | none | Indicates the threat posed by an artifact. |
| »» file_type | FileType | false | none | A valid file type that can be analyzed. |
| »» first_seen | string | false | none | The time the file was first seen. |
| »» image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| »» inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| »»» category | string | false | none | The alert severity. |
| »»» description | string | false | none | The alert description. |
| »»» reference | string | false | none | A link the the alert. |
| »»» title | string | false | none | The alert name. |
| »» last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| »» len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| »» len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| »» len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| »» len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| »» mime_type | string | false | none | The MIME type of the file. |
| »» sha_256 | string | false | none | The SHA256 hash of the file. |
| »» size | integer | false | none | The size of the file in bytes. |
| »» subcategory | string | false | none | The DFI source. |
| »» subcategory_url | string | false | none | The link to DFI subcategory source code. |
| »» vt_positives | integer | false | none | The Virus Total score. |
| »» vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| classification | MALICIOUS |
| classification | UNKNOWN |
| file_type | DOC |
| file_type | DOCX |
| file_type | EML |
| file_type | OLE |
| file_type | PPT |
| file_type | XLS |
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
/api/dfi/list/alert/title
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/list/alert/title \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/list/alert/title HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/list/alert/title',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/list/alert/title',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/list/alert/title', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/list/alert/title', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/list/alert/title");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/list/alert/title", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/list/alert/title
DFI heuristic labels.
Retrieve a list of all DFI heuristic labels.
Example responses
200 Response
{
"success": true,
"data": [
"Analysis Evasion Strings",
"Base64 Encoded Executable in Macro",
"Chunked Suspicious Strings",
"Executable Embedded within Image"
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [string] | true | none | The InQuest alert titles. |
/api/dfi/queue
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/dfi/queue \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/dfi/queue HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/queue',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/dfi/queue',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/dfi/queue', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/dfi/queue', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/queue");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/dfi/queue", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/dfi/queue
Files ahead of you in queue.
How many files are in queue to be processed currently.
Example responses
200 Response
{
"success": true,
"data": 40
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | integer | true | none | The number of files in the DFI queue. |
/api/dfi/upload
Code samples
# You can also use wget
curl -X POST https://labs.inquest.net/api/dfi/upload \
-H 'Content-Type: application/octet-stream' \
-H 'Accept: application/json'
POST https://labs.inquest.net/api/dfi/upload HTTP/1.1
Host: labs.inquest.net
Content-Type: application/octet-stream
Accept: application/json
const inputBody = 'string';
const headers = {
'Content-Type':'application/octet-stream',
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/dfi/upload',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/octet-stream',
'Accept' => 'application/json'
}
result = RestClient.post 'https://labs.inquest.net/api/dfi/upload',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Content-Type': 'application/octet-stream',
'Accept': 'application/json'
}
r = requests.post('https://labs.inquest.net/api/dfi/upload', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Content-Type' => 'application/octet-stream',
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('POST','https://labs.inquest.net/api/dfi/upload', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/dfi/upload");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/octet-stream"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("POST", "https://labs.inquest.net/api/dfi/upload", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
POST /api/dfi/upload
Upload a sample.
Upload a file for DFI inspection. Note: The maximum file size that can be uploaded is 15MB.
Body parameter
string
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | string(binary) | false | none |
Example responses
200 Response
{
"success": true,
"data": "518a94661be4f9e85eec5e5bae4bdec4c6890a1883f25959a9507452b0f9c698"
}
Bad Request
{
"success": false,
"data": [],
"error": "No file received."
}
{
"success": false,
"data": [],
"error": "Invalid file type received. Valid types include doc, xls, ppt, docx, xlsx, pptx."
}
413 Response
{
"success": false,
"data": [],
"error": "Maximum file size of 15MB exceeded."
}
Server Error
{
"success": false,
"data": [],
"error": "Failed saving file."
}
{
"success": false,
"data": [],
"error": "Unable to queue file for analysis."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 413 | Payload Too Large | Too Large | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | string | true | none | The SHA256 hash of the uploaded file. |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 413
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
IOC
IOC related operations.
/api/iocdb/search
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/iocdb/search?keyword=exploit.co \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/iocdb/search?keyword=exploit.co HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/iocdb/search?keyword=exploit.co',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/iocdb/search',
params: {
'keyword' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/iocdb/search', params={
'keyword': 'exploit.co'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/iocdb/search', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/iocdb/search?keyword=exploit.co");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/iocdb/search", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/iocdb/search
IOC search.
Search the IOC database for the specified keyword.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| keyword | query | string | true | The search term. |
Example responses
200 Response
{
"success": true,
"data": [
{
"artifact": "nopsansi.org",
"artifact_type": "domain",
"created_date": "Fri, 04 Sep 2020 03:26:31 GMT",
"reference_link": "https://twitter.com/ecarlesi/status/1301722047601610753",
"reference_text": "Possible threat on hxxps://nopsansi[.]org/biw/O[.]Drive%20(LATEST)[.]zip #phishing #opendir @google"
},
{
"artifact": "nopsansi.org",
"artifact_type": "domain",
"created_date": "Fri, 04 Sep 2020 03:26:31 GMT",
"reference_link": "https://twitter.com/ecarlesi/status/1301722057009487872",
"reference_text": "Possible threat on hxxps://nopsansi[.]org/nep/O[.]Drive%20(LATEST)[.]zip #phishing #opendir @google"
}
]
}
Bad Request
{
"success": false,
"data": {},
"error": "No search 'keyword' specified."
}
{
"success": false,
"data": {},
"error": "The 'keyword' parameter must be at least 3 bytes long."
}
{
"success": false,
"data": {},
"error": "The 'keyword' parameter can not contain percent (%), asterisk (*), or sequential underscores (__)."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [Indicator] | true | none | The matching query results. |
| »» artifact | string | true | none | The value of the artifact. |
| »» artifact_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| »» created_date | string | true | none | The artifact first-seen datetime. |
| »» reference_link | string | false | none | The URL where the artifact was originally found. |
| »» reference_text | any | false | none | The scrapped text containing the raw artifact. |
Enumerated Values
| Property | Value |
|---|---|
| artifact_type | asn_num |
| artifact_type | domain |
| artifact_type | |
| artifact_type | filename |
| artifact_type | hash |
| artifact_type | ip |
| artifact_type | ipaddress |
| artifact_type | url |
| artifact_type | yarasignature |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/iocdb/sources
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/iocdb/sources \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/iocdb/sources HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/iocdb/sources',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/iocdb/sources',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/iocdb/sources', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/iocdb/sources', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/iocdb/sources");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/iocdb/sources", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/iocdb/sources
IOC database sources.
Lists the IOC database sources.
Example responses
200 Response
{
"success": true,
"data": {
"anomali": "https://www.anomali.com/site/blog-rss",
"carbonblack": "http://www.carbonblack.com/feed/",
"clearskysec": "http://www.clearskysec.com/feed/",
"fireeye": "https://www.fireeye.com/blog/threat-research/_jcr_content.feed"
}
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | The IOC sources and their URL. |
/api/iocdb/list
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/iocdb/list \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/iocdb/list HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/iocdb/list',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/iocdb/list',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/iocdb/list', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/iocdb/list', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/iocdb/list");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/iocdb/list", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/iocdb/list
List of iocdb artifacts.
List of artifacts in the IOC database. Note: A maximum of 1337 records will be returned with or without a valid API key.
Example responses
200 Response
{
"success": true,
"data": [
{
"artifact": "nopsansi.org",
"artifact_type": "domain",
"created_date": "Fri, 04 Sep 2020 03:26:31 GMT",
"reference_link": "https://twitter.com/ecarlesi/status/1301722047601610753",
"reference_text": "Possible threat on hxxps://nopsansi[.]org/biw/O[.]Drive%20(LATEST)[.]zip #phishing #opendir @google"
},
{
"artifact": "nopsansi.org",
"artifact_type": "domain",
"created_date": "Fri, 04 Sep 2020 03:26:31 GMT",
"reference_link": "https://twitter.com/ecarlesi/status/1301722057009487872",
"reference_text": "Possible threat on hxxps://nopsansi[.]org/nep/O[.]Drive%20(LATEST)[.]zip #phishing #opendir @google"
}
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [Indicator] | true | none | The matching query results. |
| »» artifact | string | true | none | The value of the artifact. |
| »» artifact_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| »» created_date | string | true | none | The artifact first-seen datetime. |
| »» reference_link | string | false | none | The URL where the artifact was originally found. |
| »» reference_text | any | false | none | The scrapped text containing the raw artifact. |
Enumerated Values
| Property | Value |
|---|---|
| artifact_type | asn_num |
| artifact_type | domain |
| artifact_type | |
| artifact_type | filename |
| artifact_type | hash |
| artifact_type | ip |
| artifact_type | ipaddress |
| artifact_type | url |
| artifact_type | yarasignature |
Reputation
Reputation related operations.
/api/repdb/search
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/repdb/search?keyword=exploit.co \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/repdb/search?keyword=exploit.co HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/repdb/search?keyword=exploit.co',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/repdb/search',
params: {
'keyword' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/repdb/search', params={
'keyword': 'exploit.co'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/repdb/search', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/repdb/search?keyword=exploit.co");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/repdb/search", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/repdb/search
Reputation Database search.
Search the reputation database for the specified keyword.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| keyword | query | string | true | The search term. |
Example responses
200 Response
{
"success": true,
"data": [
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "paben.co.uk/cyndeiq.exe",
"data_type": "url",
"derived": "paben.co.uk",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/paben.co.uk"
}
]
}
Bad Request
{
"success": false,
"data": {},
"error": "No search 'keyword' specified."
}
{
"success": false,
"data": {},
"error": "The 'keyword' parameter must be at least 3 bytes long."
}
{
"success": false,
"data": {},
"error": "The 'keyword' parameter can not contain percent (%), asterisk (*), or sequential underscores (__)."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [Reputation] | true | none | The matching query results. |
| »» created_date | string | true | none | The artifact first-seen datetime. |
| »» data | string | true | none | The value of the artifact. |
| »» data_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| »» derived | string | false | none | The domain, host, or IP address extracted from the artifact if such extraction is possible. |
| »» derived_type | ArtifactType | false | none | An artifact type such as domain, IP, or URL. |
| »» source | string | true | none | The source reputation feed. |
| »» source_url | string | false | none | The link to the artifact on the reputation feed. |
Enumerated Values
| Property | Value |
|---|---|
| data_type | asn_num |
| data_type | domain |
| data_type | |
| data_type | filename |
| data_type | hash |
| data_type | ip |
| data_type | ipaddress |
| data_type | url |
| data_type | yarasignature |
| derived_type | asn_num |
| derived_type | domain |
| derived_type | |
| derived_type | filename |
| derived_type | hash |
| derived_type | ip |
| derived_type | ipaddress |
| derived_type | url |
| derived_type | yarasignature |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/repdb/sources
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/repdb/sources \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/repdb/sources HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/repdb/sources',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/repdb/sources',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/repdb/sources', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/repdb/sources', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/repdb/sources");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/repdb/sources", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/repdb/sources
Reputation database sources.
Lists the reputation database sources.
Example responses
200 Response
{
"success": true,
"data": {
"abuse.ch": "https://abuse.ch",
"alienvault": "https://www.alienvault.com/open-threat-exchange",
"bambenek": "http://osint.bambenekconsulting.com/feeds/",
"binarydefense": "https://www.binarydefense.com",
"blocklist": "http://lists.blocklist.de"
}
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | The reputation feed source and URL. |
/api/repdb/list
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/repdb/list \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/repdb/list HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/repdb/list',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/repdb/list',
params: {
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/repdb/list', headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/repdb/list', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/repdb/list");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/repdb/list", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/repdb/list
List of repdb artifacts.
Lists the artifacts in the reputation database. Note: A maximum of 1337 records will be returned with or without a valid API key.
Example responses
200 Response
{
"success": true,
"data": [
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "beautyevent.ru/Invoice-for-j/b-03/05/2018/",
"data_type": "url",
"derived": "beautyevent.ru",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/beautyevent.ru"
},
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "hellohello-pension.com/Summit-Companies-Invoice-1451397/",
"data_type": "url",
"derived": "hellohello-pension.com",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/hellohello-pension.com"
},
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "opora-company.ru/O5Go/",
"data_type": "url",
"derived": "opora-company.ru",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/opora-company.ru"
},
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "sportists.com/Paid-Invoice/",
"data_type": "url",
"derived": "sportists.com",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/sportists.com"
},
{
"created_date": "Sat, 05 Sep 2020 05:56:40 GMT",
"data": "gerrydear.id.au/INFO/PEGF72862VFJCQN/Mar-01-2018-803700718/YVYK-EJI/",
"data_type": "url",
"derived": "gerrydear.id.au",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "https://urlhaus.abuse.ch/host/gerrydear.id.au"
}
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 500 | Internal Server Error | The stock response object for all responses from labs. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | string | true | none | False if there was an error processing the request, otherwise True. |
| » data | [Reputation] | true | none | The matching query results. |
| »» created_date | string | true | none | The artifact first-seen datetime. |
| »» data | string | true | none | The value of the artifact. |
| »» data_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| »» derived | string | false | none | The domain, host, or IP address extracted from the artifact if such extraction is possible. |
| »» derived_type | ArtifactType | false | none | An artifact type such as domain, IP, or URL. |
| »» source | string | true | none | The source reputation feed. |
| »» source_url | string | false | none | The link to the artifact on the reputation feed. |
Enumerated Values
| Property | Value |
|---|---|
| data_type | asn_num |
| data_type | domain |
| data_type | |
| data_type | filename |
| data_type | hash |
| data_type | ip |
| data_type | ipaddress |
| data_type | url |
| data_type | yarasignature |
| derived_type | asn_num |
| derived_type | domain |
| derived_type | |
| derived_type | filename |
| derived_type | hash |
| derived_type | ip |
| derived_type | ipaddress |
| derived_type | url |
| derived_type | yarasignature |
YARA
YARA related operations.
/api/yara/base64re
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/yara/base64re?instring=pedram%5Ba-z%5D%2Bwas.here \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/yara/base64re?instring=pedram%5Ba-z%5D%2Bwas.here HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/yara/base64re?instring=pedram%5Ba-z%5D%2Bwas.here',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/yara/base64re',
params: {
'instring' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/yara/base64re', params={
'instring': 'pedram[a-z]+was.here'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/yara/base64re', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/yara/base64re?instring=pedram%5Ba-z%5D%2Bwas.here");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/yara/base64re", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/yara/base64re
Regex base64 convert.
Converts a plain text regular expression into a base64 compatible version.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| instring | query | string | true | Input string to convert to regex that will match within base64 encoded content. |
| option | query | string | false | Pre-processor option that signifies widening instring by a selectable endian-ness. |
Detailed descriptions
option: Pre-processor option that signifies widening instring by a selectable endian-ness. Valid values are NONE, WIDEN_BIG, and WIDEN_LITTLE. The default value is NONE.
Enumerated Values
| Parameter | Value |
|---|---|
| option | NONE |
| option | WIDEN_BIG |
| option | WIDEN_LITTLE |
Example responses
200 Response
{
"success": true,
"data": "(cABlAGQAcgBhAG0A[YZa-e][AQgw]B[0-6h-z]AHcAYQBzA[A-P][048AEIMQUYcgkosw]AaABlAHIAZQ[A-D]|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]A[YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[23GHWXmn][048AEIMQUYcgkosw]AdwBhAHMA[\\x2b\\x2f-9A-Za-z][AQgw]BoAGUAcgBlA[A-P]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]AHcAYQBzA[A-P][048AEIMQUYcgkosw]AaABlAHIAZQ[A-D]|cABlAGQAcgBhAG0A[YZa-e][AQgw]([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|cABlAGQAcgBhAG0A[YZa-e][AQgw]([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[159BFJNRVZdhlptx][0-6h-z]AHcAYQBzA[A-P][048AEIMQUYcgkosw]AaABlAHIAZQ[A-D]|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|cABlAGQAcgBhAG0A[YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw]B3AGEAcw[A-D][\\x2b\\x2f-9A-Za-z]AGgAZQByAGUA|cABlAGQAcgBhAG0A[YZa-e][AQgw]([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[159BFJNRVZdhlptx][0-6h-z]AHcAYQBzA[A-P][048AEIMQUYcgkosw]AaABlAHIAZQ[A-D]|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[23GHWXmn][048AEIMQUYcgkosw]AdwBhAHMA[\\x2b\\x2f-9A-Za-z][AQgw]BoAGUAcgBlA[A-P]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx]wAGUAZAByAGEAbQB[0-6h-z]A[GH][048AEIMQUYcgkosw]AdwBhAHMA[\\x2b\\x2f-9A-Za-z][AQgw]BoAGUAcgBlA[A-P]|cABlAGQAcgBhAG0A[YZa-e][AQgw]([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[23GHWXmn][048AEIMQUYcgkosw]AdwBhAHMA[\\x2b\\x2f-9A-Za-z][AQgw]BoAGUAcgBlA[A-P]|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]A([23GHWXmn][048AEIMQUYcgkosw]|[YZa-e][AQgw]|[159BFJNRVZdhlptx][0-6h-z]A|[\\x2b\\x2f-9A-Za-z][YZa-e][AQgw])*[159BFJNRVZdhlptx][0-6h-z]AHcAYQBzA[A-P][048AEIMQUYcgkosw]AaABlAHIAZQ[A-D]|[\\x2b\\x2f-9A-Za-z][3HXn]A{2}ZQBkAHIAYQBtA[GH][048AEIMQUYcgkosw]AdwBhAHMA[\\x2b\\x2f-9A-Za-z][AQgw]BoAGUAcgBlA[A-P])"
}
Bad Request
{
"success": false,
"data": {},
"error": "Parameter 'instring' is required."
}
{
"success": false,
"data": {},
"error": "The 'option' parameter must be one of 'WIDEN_BIG', 'WIDEN_LITTLE'."
}
500 Response
{
"success": false,
"data": {},
"error": "Input string not a properly formatted regular expression."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | string | true | none | The base64 encoded regular expression. |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/yara/mixcase
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/yara/mixcase?instring=pedram%5Ba-z%5D%2Bwas.here \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/yara/mixcase?instring=pedram%5Ba-z%5D%2Bwas.here HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/yara/mixcase?instring=pedram%5Ba-z%5D%2Bwas.here',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/yara/mixcase',
params: {
'instring' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/yara/mixcase', params={
'instring': 'pedram[a-z]+was.here'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/yara/mixcase', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/yara/mixcase?instring=pedram%5Ba-z%5D%2Bwas.here");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/yara/mixcase", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/yara/mixcase
Regex generator for mixed-case hex-encoded strings.
Returns a regex pattern that matches a mixed case of the input hex-string.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| instring | query | string | true | Input string to convert to regex that will match within mixed case content. |
Example responses
200 Response
{
"success": true,
"data": "[57]0[46]5[46]4[57]2[46]1[46]d5b[46]12d[57]a5d2b[57]7[46]1[57]32e[46]8[46]5[57]2[46]5"
}
400 Response
{
"success": false,
"data": {},
"error": "Parameter 'instring' is required."
}
500 Response
{
"success": false,
"data": {},
"error": "Unknown exception in mixcasification process."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | string | true | none | The mixed case regular expression. |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
/api/yara/trigger
Code samples
# You can also use wget
curl -X GET https://labs.inquest.net/api/yara/trigger?trigger=CWS \
-H 'Accept: application/json'
GET https://labs.inquest.net/api/yara/trigger?trigger=CWS HTTP/1.1
Host: labs.inquest.net
Accept: application/json
const headers = {
'Accept':'application/json'
};
fetch('https://labs.inquest.net/api/yara/trigger?trigger=CWS',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get 'https://labs.inquest.net/api/yara/trigger',
params: {
'trigger' => 'string'
}, headers: headers
p JSON.parse(result)
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('https://labs.inquest.net/api/yara/trigger', params={
'trigger': 'CWS'
}, headers = headers)
print(r.json())
<?php
require 'vendor/autoload.php';
$headers = array(
'Accept' => 'application/json',
);
$client = new \GuzzleHttp\Client();
// Define array of request body.
$request_body = array();
try {
$response = $client->request('GET','https://labs.inquest.net/api/yara/trigger', array(
'headers' => $headers,
'json' => $request_body,
)
);
print_r($response->getBody()->getContents());
}
catch (\GuzzleHttp\Exception\BadResponseException $e) {
// handle exception or api errors.
print_r($e->getMessage());
}
// ...
URL obj = new URL("https://labs.inquest.net/api/yara/trigger?trigger=CWS");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte{jsonReq})
req, err := http.NewRequest("GET", "https://labs.inquest.net/api/yara/trigger", data)
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
GET /api/yara/trigger
String to uint().
Convert strings into uint() equivalent for building fast, efficient YARA conditions. For a better understanding of this functionality and why it's useful, refer to the InQuest blog post here.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| trigger | query | string | true | The string to convert to YARA integer conditions. |
| offset | query | any | false | The integer or hex offset in a file for the YARA rule to examine. Default value is 0. |
| is_hex | query | boolean | false | Set to true if the value of trigger should be interpreted as hexidecimal instead of a string. Default is false. |
Detailed descriptions
offset: The integer or hex offset in a file for the YARA rule to examine. Default value is 0.
is_hex: Set to true if the value of trigger should be interpreted as hexidecimal instead of a string. Default is false.
Example responses
200 Response
{
"success": true,
"data": "/* trigger = 'CWS' */\n(uint16be(0x0) == 0x4357 and uint8(0x2) == 0x53)"
}
Bad Request
{
"success": false,
"data": [],
"error": "Parameter 'trigger' is required."
}
{
"success": false,
"data": [],
"error": "Parameter 'is_hex' must be boolean."
}
{
"success": false,
"data": [],
"error": "When parameter 'is_hex' is True, 'trigger' must be all hexadecimel."
}
{
"success": false,
"data": [],
"error": "Parameter 'offset' must be decimal or hexadecimel."
}
500 Response
{
"success": false,
"data": {},
"error": "Unknown exception in triggerification process."
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | OK | Inline |
| 400 | Bad Request | Bad Request | Inline |
| 500 | Internal Server Error | Server Error | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | string | true | none | The YARA condition matching the value in trigger. |
Status Code 400
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Status Code 500
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| » data | object | true | none | none |
| » error | string | false | none | The error message when handling the request if there was one. |
Schemas
Alert
{
"category": "suspicious",
"description": "Detected a macro that references a suspicious number of tersely named variables.",
"reference": "string",
"title": "Suspicious Document Variables"
}
A DFI triggered event based on a heuristic rule.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| category | string | false | none | The alert severity. |
| description | string | false | none | The alert description. |
| reference | string | false | none | A link the the alert. |
| title | string | false | none | The alert name. |
Enumerated Values
| Property | Value |
|---|---|
| category | suspicious |
| category | evasive |
| category | info |
| category | malicious |
APIResponse
{
"success": true,
"data": "string",
"error": "string"
}
The stock response object for all responses from labs.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| success | boolean | true | none | False if there was an error processing the request, otherwise True. |
| data | string | true | none | The requested info from the server. |
| error | string | false | none | The error message when handling the request if there was one. |
ArtifactType
"domain"
An artifact type such as domain, IP, or URL.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | An artifact type such as domain, IP, or URL. |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | asn_num |
| anonymous | domain |
| anonymous | |
| anonymous | filename |
| anonymous | hash |
| anonymous | ip |
| anonymous | ipaddress |
| anonymous | url |
| anonymous | yarasignature |
Attribute
{
"attribute": "domain",
"category": "ioc",
"count": 3,
"value": "example.com"
}
An Attribute is an association, such as an IOC, that is made during DFI inspection.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| attribute | ArtifactType | false | none | An artifact type such as domain, IP, or URL. |
| category | string | false | none | The attribute category, typically 'ioc' |
| count | integer | false | none | The number of occurrances of the IOC in the file. |
| value | string | false | none | The attribute value. |
Classification
"MALICIOUS"
Indicates the threat posed by an artifact.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | Indicates the threat posed by an artifact. |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | MALICIOUS |
| anonymous | UNKNOWN |
DFIDetails
{
"analysis_completed": true,
"classification": "MALICIOUS",
"ext_code": "string",
"ext_context": "string",
"ext_metadata": "string",
"ext_ocr": "string",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": true,
"inquest_alerts": [
{
"category": "suspicious",
"description": "Detected a macro that references a suspicious number of tersely named variables.",
"reference": "string",
"title": "Suspicious Document Variables"
}
],
"inquest_dfi_size": 598712,
"last_inquest_dfi": "Mon, 07 Sep 2020 23:48:40 GMT",
"last_inquest_featext": "Wed, 07 Sep 2020 23:49:43 GMT",
"last_updated": "Wed, 07 Sep 2020 23:49:43 GMT",
"len_code": 0,
"len_context": 106222,
"len_metadata": 1243,
"len_ocr": 0,
"malware_label": "sagent-docdl-htfcpy-emotet-classic-tioibekv-malware",
"md5": "69d263c0f6641150aa72f3777eb4ca81",
"mime_type": "application/vnd.ms-excel",
"sha1": "3d0d1c2f867259ebfb4674198ff7a4978a0a8520",
"sha256": "ac8ab2f4a2aa6a0ceec2743ce15d9e1ae9bf5827e78523e19215bea0c4a4c45b",
"sha512": "059c3a01a7c5b35be63959dfe0b9d71d58251613be3feec5bb82ff4e60c2f83bbb43e9cec44a981e980cb0b7133048c35f58b65f722741951a8328093f1d796d",
"size": 222208,
"subcategory": "maldoc_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/maldoc_hunter.rule",
"virus_total": "https://www.virustotal.com/gui/file/ac8ab2f4a2aa6a0ceec2743ce15d9e1ae9bf5827e78523e19215bea0c4a4c45b",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
The detailed result of a DFI analysis.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| classification | Classification | false | none | Indicates the threat posed by an artifact. |
| ext_code | string | false | none | The Embedded Logic extracted from the file. |
| ext_context | string | false | none | The Semantic Context extracted from the file. |
| ext_metadata | string | false | none | The Metadata extracted from the file. |
| ext_ocr | string | false | none | The Semantic OCR text extracted from the file. |
| file_type | FileType | false | none | A valid file type that can be analyzed. |
| first_seen | string | false | none | The time the file was first seen. |
| image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| inquest_dfi_size | integer | false | none | The file size in bytes after DFI inspection. This size is typically larger than the file size due to converting binary content to text. |
| last_inquest_dfi | string | false | none | The last time the file was inspected by DFI. |
| last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| last_updated | string | false | none | The last time the file was updated. |
| len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| malware_label | string | false | none | The malware labels that apply to the file. |
| md5 | string | false | none | The MD5 hash of the file. |
| mime_type | string | false | none | The file MIME type. |
| sha1 | string | false | none | The SHA1 hash of the file. |
| sha256 | string | false | none | The SHA256 hash of the file. |
| sha512 | string | false | none | The SHA512 hash of the file. |
| size | integer | false | none | The size of the file in bytes. |
| subcategory | string | false | none | The DFI source. |
| subcategory_url | string | false | none | The link to DFI subcategory source code. |
| virus_total | string | false | none | The link to the file on Virus Total. |
| vt_positives | integer | false | none | The Virus Total score. |
| vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
DFIFilter
{
"is_case_sensitive": true,
"is_regex": true,
"title": "Macro: Highlight String Operations",
"value": "\\b(cstr|format|instr|instrrev|join|lcase|left|len|like|ltrim|mid|replace|right|rtrim|split|str|strcomp|strconv|string|strreverse|trim|ucase|val)\\b"
}
A rule used by DFI for matching content.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| is_case_sensitive | boolean | true | none | True if the rule is case sensitive, otherwise False. |
| is_regex | boolean | true | none | True if the rule is a regular expression, otherwise False. |
| title | string | true | none | The name of the rule. |
| value | string | true | none | The rule to apply. |
DFIResult
{
"analysis_completed": true,
"classification": "MALICIOUS",
"file_type": "DOC",
"first_seen": "Wed, 02 Sep 2020 12:28:56 GMT",
"image": true,
"inquest_alerts": [
{
"category": "suspicious",
"description": "Detected a macro that references a suspicious number of tersely named variables.",
"reference": "string",
"title": "Suspicious Document Variables"
}
],
"last_inquest_featext": "Wed, 02 Sep 2020 12:31:31 GMT",
"len_code": 71560,
"len_context": 21,
"len_metadata": 1308,
"len_ocr": 276,
"mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"sha_256": "d6ac955b6756b0ca5eb236db66dc54c1e84c74067ace61b47adcbe1409c66222",
"size": 92646,
"subcategory": "macro_hunter",
"subcategory_url": "https://github.com/InQuest/yara-rules/blob/master/labs.inquest.net/macro_hunter.rule",
"vt_positives": 8,
"vt_weight": 2.700000047683716
}
The result of DFI analysis.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| analysis_completed | boolean | false | none | True if the DFI analysis is complete, otherwise False. |
| classification | Classification | false | none | Indicates the threat posed by an artifact. |
| file_type | FileType | false | none | A valid file type that can be analyzed. |
| first_seen | string | false | none | The time the file was first seen. |
| image | boolean | false | none | True if there is an image associated with the file, otherwise False. |
| inquest_alerts | [Alert] | false | none | [A DFI triggered event based on a heuristic rule.] |
| last_inquest_featext | string | false | none | The last time DFI analyzed the file. |
| len_code | integer | false | none | The length in bytes of the code extracted from the file by DFI. |
| len_context | integer | false | none | The length in bytes of the semantic context extracted from the file by DFI. |
| len_metadata | integer | false | none | The length in bytes of the metadata extracted from the file by DFI. |
| len_ocr | integer | false | none | The length in bytes of the OCR text extracted from the file by DFI. |
| mime_type | string | false | none | The MIME type of the file. |
| sha_256 | string | false | none | The SHA256 hash of the file. |
| size | integer | false | none | The size of the file in bytes. |
| subcategory | string | false | none | The DFI source. |
| subcategory_url | string | false | none | The link to DFI subcategory source code. |
| vt_positives | integer | false | none | The Virus Total score. |
| vt_weight | number(float) | false | none | The Virus Total weight. |
Enumerated Values
| Property | Value |
|---|---|
| subcategory | excel40_hunter |
| subcategory | macro_hunter |
| subcategory | maldoc_hunter |
| subcategory | malfash_hunter |
| subcategory | maljar_hunter |
| subcategory | malpdf_hunter |
| subcategory | pdfjs_hunter |
| subcategory | phish_hunter |
| subcategory | rtf_hunter |
| subcategory | slk_hunter |
| subcategory | swfdoc_hunter |
| subcategory | xsl_hunter |
FileType
"DOC"
A valid file type that can be analyzed.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | A valid file type that can be analyzed. |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | DOC |
| anonymous | DOCX |
| anonymous | EML |
| anonymous | OLE |
| anonymous | PPT |
| anonymous | XLS |
Indicator
{
"artifact": "exploit.co",
"artifact_type": "domain",
"created_date": "Fri, 04 Sep 2020 05:27:08 GMT",
"reference_link": "https://twitter.com/ecarlesi/status/13017518359XXXXXXXX",
"reference_text": "Possible threat on hxxps://getvanillacake[.]com/20200903_phplord_8587346d818cd36XXXXX_202009031XXXXX_archive[.]zip #phishing #opendir"
}
An OSINT indicator pulled from the web.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| artifact | string | true | none | The value of the artifact. |
| artifact_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| created_date | string | true | none | The artifact first-seen datetime. |
| reference_link | string | false | none | The URL where the artifact was originally found. |
| reference_text | any | false | none | The scrapped text containing the raw artifact. |
Reputation
{
"created_date": "Fri, 04 Sep 2020 05:27:08 GMT",
"data": "exploit.co",
"data_type": "domain",
"derived": "exploit.co",
"derived_type": "domain",
"source": "urlhaus",
"source_url": "string"
}
An artifact aggregated from a threat intelligence feed.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| created_date | string | true | none | The artifact first-seen datetime. |
| data | string | true | none | The value of the artifact. |
| data_type | ArtifactType | true | none | An artifact type such as domain, IP, or URL. |
| derived | string | false | none | The domain, host, or IP address extracted from the artifact if such extraction is possible. |
| derived_type | ArtifactType | false | none | An artifact type such as domain, IP, or URL. |
| source | string | true | none | The source reputation feed. |
| source_url | string | false | none | The link to the artifact on the reputation feed. |