The purpose of InQuest Labs is to empower independent security researchers with a convenient mixture of file data and threat intelligence. There are four major components, each with a “tile” on the homepage and all of which are supported by an open API and corollary Python library & command-line interface (CLI).
Continually growing corpus of benign and malicious OLE/OOXML (Microsoft/Open Office) documents is fed through DFI, a static analysis engine that extrudes various embedded streams such as macros, images and Indicators of Compromise (IOCs). Log in to see labeling data from heuristics, machine learning (ML) and multi-AV (MAV). Logged in users are also able to download the subset of malicious samples that InQuest has received through multiple sources. Anyone may upload files via drag-and-drop or API for dissection.
Aggregation of IOCs from over two dozen publicly accessible reputation feeds. Once you’ve identified an interesting sample from DFI, enumerate relevant IOCs through static/dynamic analysis and cross-reference the data here to see if the relevant infrastructure has already been reported for abuse.
Stream of IOCs from various curated sources including Github, Pastebin, Twitter, RSS feeds and more. Whereas REP-DB covers “reported” indicators, the IOC-DB covers “discussed” indicators. If the IOCs you’ve associated with an interesting sample from DFI have not been found in REP-DB nor IOC-DB, chances are you’ve identified a novel threat worth further dissection on both the reverse engineering and detection engineering fronts.
Once you’ve found a novel threat, it would be a benefit to the community at large to release detection logic. In the realm of files, YARA is ubiquitous and the InQuest Labs portal provides creative tooling to assist you here.
Colin Hardy put together a fantastic video overview of the research portal, available here:
https://www.youtube.com/watch?v=q1H0PDzsq3E