URLscan threat hunting for beginners
You might be new to URLscan and your employer is asking you to perform some threat hunting tasks on URLscan and you don’t know where to start. Well, than this guide is for you, as I will guide you through URLscan it’s threat hunting capabilities.
No account needed
I do strongly recommend that you take a subscription or an free account at URLscan. The founders and the people behind it are doing an awesome job. For this threat hunting guide, no URLscan account is needed.
Let’s define our scope
Your employer, manager, teamlead might have given you a scope, if this is not the case, ask for the scope of the assignment. You need to understand what you are hunting for.
In this example, we will focus on Microsoft phishing pages, and we are going to perform threat hunting to identify Microsoft phishing pages that have been indexed on URLscan so that we can create detection signatures and perform an investigation into the infrastructure used by these phishing pages.
Scope: Phishing pages aimed at Microsoft users Services: Outlook, Live, Onedrive, Office365
The website of URLscan is pretty straight forward. We will directly navigate to the search page on URLscan.
Before we start clicking the search button, we are going to take a look at the options provided. The fact is that we can use filters to narrow down our searches.
A quick view on some of the default queries shown in the help text:
- domain:microsoft.com AND NOT page.domain:microsoft.com
- page.domain:(microsoft.com~ AND NOT microsoft.com)
- page.domain:(/micro*/ AND NOT microsoft.com)
- page.asn:AS24940 OR page.asnname:hetzner
- page.url:”wp-content/uploads/” OR filename:”wp-content/uploads/”
Lets try a query
The following query will give you a quick view on some suspicious Microsoft domains. You can investigate them while you follow this guide.
page.domain:onedrive* AND NOT page.domain:(live.com OR windows.net OR onedrive.com)
Once you copy and paste this query into the search field and hit enter, you will notice that the following is happening:
We are searching for pages from which the domain contains the keyword onedrive (and anything after it because of the *). We are also excluding pages from which the domains match with live.com, windows.net and onedrive.com.
Now it gets interesting, we have received results and we can start snooping around to create some signatures and search queries.
Let’s further narrow down our search
We are going to continue with the search queries, because we are trying to find Microsoft phishing pages. You have been snooping through the list and you have found an phishing page. This is great, now let’s take a further look at the details which are shown on URLscan.
You can use the URLscan link shown above to immediately go to a phishing page that has been indexed. We will be using that one for the example.
Take a moment, and search through the list. One thing that quickly pops-up is the mp4 file named onedrive.mp4. We can use this filename in our previous query to narrow down our search even further, we can also click on the filename and see if there are any matches.
The query should look like this in your search field:
If done correctly, you should notice the results which are similar to the screenshot seen below:
I also mentioned, that you can use the new query in your previous query. Once done correctly, your query should look like this:
page.domain:onedrive* AND NOT page.domain:(live.com OR windows.net OR onedrive.com) AND filename:"onedrive.mp4"
You will notice that this query provides less results, but all of them are phishing. You can also make the query a bit wider by changing the domain keywords.
Some more tips
The URLscan reports have a lot of details, most of them can be clicked and will lead you to a new query or a new page with more information. Try to get comfortable with the site and practice by clicking around.
- Search on IP address ranges
- Search on domain keywords
- Search on filenames
- Search on Favicons
- Try to make threat hunting mistakes and learn from them 🙂