Welcome back, cyber defenders! In this part of our URLscan.io guide, we’re going to explore search operators and queries. We’ll also provide you with 10 handy search query templates to aid in your cyber threat hunting efforts. Ready? Let’s get started.
|Hunting With URLscan: Part 1||Get to know the basics|
|Hunting With URLscan: Part 2||Filenames and Hashes|
|Hunting With URLscan: Part 3||Search Operators|
|Hunting with URLscan: Part 4||Query Builder|
Understanding Search Operators
Operators are special keywords that help you refine your search on URLscan.io. They tell the search engine to include, exclude, or prioritize certain elements in the results. Some commonly used operators include (view the full list on URLscan):
AND: This operator finds scans that include all terms. For instance, ‘term1 AND term2’ would return scans that have both term1 and term2.
OR: This operator finds scans that include at least one of the terms. For example, ‘term1 OR term2’ returns scans that have either term1 or term2.
NOT: This operator excludes a term from the search. For example, ‘term1 NOT term2’ will show scans that have term1 but not term2.
Note: URLscan.io’s search is case-insensitive, but operators (AND, OR, NOT) should be in ALL CAPS.
Now let’s look at some handy search query templates you can use even if you’re not logged in:
10 Handy Search Query Templates:
- IP Search:
ip:123.456.789.000– Substitute with the IP you want to search for.
- Domain Search:
domain:cyberwarzone.com– Replace “cyberwarzone.com” with the domain you’re interested in.
- URL Search:
url:"example.com/login*"– Swap “example.com/login” with the URL you want to investigate.
- ASN Search:
asn:AS1234– Replace “AS1234” with the Autonomous System Number you’re searching for.
- Keyword Search:
login*page*– Replace “login*page*” with your keyword of interest.
- Filename Search:
filename:example.html– Replace “example.html” with the file name you are looking for.
- Hash Search:
hash:<SHA256 or MD5 hash>– Replace “<SHA256 or MD5 hash>” with the actual hash.
- Country Search:
country:US– Replace “US” with the ISO code of the country you are investigating.
- Mixed Query:
page.url:paypal* AND country:RU– This finds scans that contain the keyword “paypal” and are in the country “Russia”.
- Exclusion Query:
login* NOT domain:example.com– This query returns scans with the keyword “login”, but excludes those from the domain “example.com”.
Combined Hash and Domain Query
hash:<SHA256 or MD5 hash> AND country:RU – This finds scans associated with a specific hash from a specific domain. Replace “<SHA256 or MD5 hash>” with the actual hash and “RU” with the country you are interested in.
With this hash-focused query, you can pinpoint specific malicious resources within a specific country. This offers a powerful way to drill down into potentially harmful activities within a known domain of interest. It is recommended to play around and find the best process for your URLscan hunts.