URLscan threat hunting for beginners

Published by Reza Rafati on

You might be new to URLscan and your employer is asking you to perform some threat hunting tasks on URLscan and you don’t know where to start. Well, than this guide is for you, as I will guide you through URLscan it’s threat hunting capabilities.

No account needed

I do strongly recommend that you take a subscription or an free account at URLscan. The founders and the people behind it are doing an awesome job. For this threat hunting guide, no URLscan account is needed.

Let’s define our scope

Your employer, manager, teamlead might have given you a scope, if this is not the case, ask for the scope of the assignment. You need to understand what you are hunting for.

In this example, we will focus on Microsoft phishing pages, and we are going to perform threat hunting to identify Microsoft phishing pages that have been indexed on URLscan so that we can create detection signatures and perform an investigation into the infrastructure used by these phishing pages.

Scope: Phishing pages aimed at Microsoft users
Services: Outlook, Live, Onedrive, Office365

URLscan

The website of URLscan is pretty straight forward. We will directly navigate to the search page on URLscan.

We click on “Search” which can be found in the URLscan menu

Before we start clicking the search button, we are going to take a look at the options provided. The fact is that we can use filters to narrow down our searches.

We click on the blue Help button. Once clicked instructions about the filters will be shown.

A quick view on some of the default queries shown in the help text:

  • page.ip:1.1.1.1
  • page.url.keyword:https\:\/\/www.microsoft.com\/*
  • domain:microsoft.com AND NOT page.domain:microsoft.com 
  • page.domain:(microsoft.com~ AND NOT microsoft.com)
  • page.domain:(/micro*/ AND NOT microsoft.com)
  • page.asn:AS24940 OR page.asnname:hetzner
  • page.url:”wp-content/uploads/” OR filename:”wp-content/uploads/”

Lets try a query

The following query will give you a quick view on some suspicious Microsoft domains. You can investigate them while you follow this guide.

page.domain:onedrive* AND NOT page.domain:(live.com OR windows.net OR onedrive.com)

Once you copy and paste this query into the search field and hit enter, you will notice that the following is happening:

We are searching for pages from which the domain contains the keyword onedrive (and anything after it because of the *). We are also excluding pages from which the domains match with live.com, windows.net and onedrive.com.

Results of the query shown on URLscan

Now it gets interesting, we have received results and we can start snooping around to create some signatures and search queries.

Let’s further narrow down our search

We are going to continue with the search queries, because we are trying to find Microsoft phishing pages. You have been snooping through the list and you have found an phishing page. This is great, now let’s take a further look at the details which are shown on URLscan.

https://urlscan.io/result/2a1e5731-cc2b-4394-9fe4-23d3714a0deb/

You can use the URLscan link shown above to immediately go to a phishing page that has been indexed. We will be using that one for the example.

We click on HTTP to see which files have been requested

Take a moment, and search through the list. One thing that quickly pops-up is the mp4 file named onedrive.mp4. We can use this filename in our previous query to narrow down our search even further, we can also click on the filename and see if there are any matches.

When the link is clicked, you will be shown a list of domains that have the same filename in use

The query should look like this in your search field:

filename:"onedrive.mp4"

If done correctly, you should notice the results which are similar to the screenshot seen below:

Search results on onedrive.mp4

I also mentioned, that you can use the new query in your previous query. Once done correctly, your query should look like this:

page.domain:onedrive* AND NOT page.domain:(live.com OR windows.net OR onedrive.com) AND filename:"onedrive.mp4"

You will notice that this query provides less results, but all of them are phishing. You can also make the query a bit wider by changing the domain keywords.

Some more tips

The URLscan reports have a lot of details, most of them can be clicked and will lead you to a new query or a new page with more information. Try to get comfortable with the site and practice by clicking around.

  • Search on IP address ranges
  • Search on domain keywords
  • Search on filenames
  • Search on Favicons
  • Try to make threat hunting mistakes and learn from them 🙂

Share this information

Reza Rafati

Founder of Cyberwarzone.com.