Sunday, October 1, 2023
Latest:

Cyberwarzone

Your Cyber Knowledge Base

Hunting With URLscan: Part 3
EducationGuidesURLscan

Hunting With URLscan: Part 3

Reza Rafati

Welcome back, cyber defenders! In this part of our URLscan.io guide, we’re going to explore search operators and queries. We’ll also provide you with 10 handy search query templates to aid in your cyber threat hunting efforts. Ready? Let’s get started.

TopicsDescription
Hunting With URLscan: Part 1Get to know the basics
Hunting With URLscan: Part 2Filenames and Hashes
Hunting With URLscan: Part 3Search Operators
Hunting with URLscan: Part 4Query Builder

Understanding Search Operators

Example query for URLscan.io
Example query for URLscan.io

Operators are special keywords that help you refine your search on URLscan.io. They tell the search engine to include, exclude, or prioritize certain elements in the results. Some commonly used operators include (view the full list on URLscan):

  1. AND: This operator finds scans that include all terms. For instance, ‘term1 AND term2’ would return scans that have both term1 and term2.
  2. OR: This operator finds scans that include at least one of the terms. For example, ‘term1 OR term2’ returns scans that have either term1 or term2.
  3. NOT: This operator excludes a term from the search. For example, ‘term1 NOT term2’ will show scans that have term1 but not term2.

Note: URLscan.io’s search is case-insensitive, but operators (AND, OR, NOT) should be in ALL CAPS.

Now let’s look at some handy search query templates you can use even if you’re not logged in:

10 Handy Search Query Templates:

  1. IP Search: ip:123.456.789.000 – Substitute with the IP you want to search for.
  2. Domain Search: domain:cyberwarzone.com – Replace “cyberwarzone.com” with the domain you’re interested in.
  3. URL Search: url:"example.com/login*" – Swap “example.com/login” with the URL you want to investigate.
  4. ASN Search: asn:AS1234 – Replace “AS1234” with the Autonomous System Number you’re searching for.
  5. Keyword Search: login*page* – Replace “login*page*” with your keyword of interest.
  6. Filename Search: filename:example.html – Replace “example.html” with the file name you are looking for.
  7. Hash Search: hash:<SHA256 or MD5 hash> – Replace “<SHA256 or MD5 hash>” with the actual hash.
  8. Country Search: country:US – Replace “US” with the ISO code of the country you are investigating.
  9. Mixed Query: page.url:paypal* AND country:RU– This finds scans that contain the keyword “paypal” and are in the country “Russia”.
  10. Exclusion Query: login* NOT domain:example.com – This query returns scans with the keyword “login”, but excludes those from the domain “example.com”.

Combined Hash and Domain Query

hash:<SHA256 or MD5 hash> AND country:RU – This finds scans associated with a specific hash from a specific domain. Replace “<SHA256 or MD5 hash>” with the actual hash and “RU” with the country you are interested in.

With this hash-focused query, you can pinpoint specific malicious resources within a specific country. This offers a powerful way to drill down into potentially harmful activities within a known domain of interest. It is recommended to play around and find the best process for your URLscan hunts.

Share

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

Detecting a Monitored Security Event Pattern

Detecting a Monitored Security Event Pattern

Reza Rafati
Cl0p Ransomware Group

Cl0p Ransomware Group: A Threat Profile

Reza Rafati
Tracing FileZilla: A Guide to Unearthing Credentials and Files

Tracing FileZilla: A Guide to Unearthing Credentials and Files

Reza Rafati