Web Scanner is a feature of Community, Professional and Enterprise subscriptions that allows users to scan the clearnet and darkweb for historic infrastructure that matches a set of granular parameters.
Web Scanner can be used to quickly reveal and pivot across attacker infrastructure from a single origin point, or to reveal vulnerable infrastructure on a given attack surface or supply chain operation.
Web Scanner queries differs from Live Scan, in that they return a historical dataset that includes all Silent Push scan points, rather than the single realtime result gathered from Live Scan.
In doing so, Web Scanner allows users to evaluate the movement of threat infrastructure across time, and understand how attackers are adapting their TTPs to evade detection.
If a domain, IP or URL is involved in a redirect chain, Web Scanner doesn't limit results to a single scanned page. All observable data is made available, so that users can see the path taken through multiple hops, e.g. Cloudflare holding pages, deferred login pages.
Available Web Scan parameters
Web Scanner queries are executed using 100+ proprietary parameters known as 'field names', and 6 separate data sources containing all the scanned data Silent Push has collected.
Available fields include (but are not limited to):
- On-page content
- Body SSDeep data
- Certificates
- HTML titles
- Geo location
- Proprietary server and certificate hashes
- Favicons
- JavaScript
Click here for a list of available field names, and here for a list of data sources.
Web Scanner can also be used to search through historical changes in WHOIS records, using the WHOIS data source, and to locate content on the darkweb using the torscan data source.
Web Scanner query examples
Web Scanner's syntax is comprised of a combination of three elements:
- Field names
- Operators
- Values
Click here for a list of available operators.
Queries can be linked together with an AND separator if required:
Example 1: Hunting for domains that use PayPal's favicon, but are not hosted on PayPal's domain infrastructure (brand spoofing)
favicon_murmur3 = 309020573 AND domain != "paypal.com"
Example 2: Locating IPs using AkamaiGhost CDN
header.server = "AkamaiGHost"
Example 3: Locating servers vulnerable to DDoS attacks
htmltitle = "DDoS* not configured" AND response > 200 AND header.server = "ddos*"
Example 4: Using the 'WHOIS' datasource to browse through historical WHOIS records
htmltitle = "DDoS* not configured" AND response > 200 AND header.server = "ddos*"
Example 5: IPs with SSL certificates expiring within the next day
ssl.not_after > now AND ssl.not_after < now+1d
Use cases
Web Scanner fulfils a number of CTI-related use cases across a range of cybersecurity job roles.
Web Scanner is particularly useful for locating and traversing infrastructure that is attempting to spoof a brand or supply chain operation, through the use of spoofed HTML titles, favicons and on-page HTML content.
1. Threat Analyst/Threat Hunter
Threat Analysts can use Web Scanner to hunt for adversary infrastructure that shares a set of content parameters, including domains and IPs specific to certain TTPs.
Once a starting point has been identified (e.g. a malicious domain or IP), scanning for matching content and pivoting across results allows analysts to reveal hidden clusters of threat activity, helping teams to map out previously unknown attack vectors.
2. SOC Analyst
SOC teams can use Web Scanner to instantly obtain a large amount of enriched information on an unknown observable that's appeared in their detection mechanisms, without the need for additional pivots, saving time and resources.
Once an analyst has identified a parameter to search across, a Web Scanner query can be run that maps out the full extent of the threat landscape, and the results can be used to evaluate alert data, and improve blocking mechanisms with connected domains and IPs.
3. Incident Responder
Web Scanner can be used during cybersecurity events to map out active and pre-weaponized infrastructure that is being used - or has been used - in an attack.
Once IR staff have established an initial intrusion/attack point in the form of a domain or IP, Web Scanner queries return datasets that include all infrastructure linked to the initial observable, allowing teams to understand the full operational scope of an attack - including hosting infrastructure and webpages - aiding any remediation or investigative actions once an attack has occured.