Silent Push performs comprehensive WHOIS scanning to extract, enrich, and correlate registrar-based ownership data for domains observed globally. This process aids SOC teams and security analysts in infrastructure mapping, threat actor attribution, and campaign tracking.
What We Collect
Registrant Name & Email: Enables identification of individual or organizational ownership.
Registrar Information: Tracks registration through known registrars, especially those commonly used in abuse.
Domain Creation, Update, and Expiry Dates: Vital for identifying domain age, renewal behaviors, and suspicious time-based patterns.
WHOIS Server: Useful for source tracing and validation.
Nameservers: Allows detection of shared infrastructure and DNS hosting patterns.
Organization & Address Info: Additional signals for corporate vs. individual ownership.
Use the WHOIS Scanner
To investigate domain ownership and registration patterns:
From the Silent Push homepage, select WHOIS Data > WHOIS Scanner.
Build Your Query:
In Field Name, type or select a WHOIS field (e.g., name, email, created, etc.).
Choose an Operator (equals, !=, contains, >, <, etc.).
Enter the Value.
Optionally add multiple conditions using .
Click Search.
Results Table
Result Type | Description |
|---|---|
scan_date | Date/time of the WHOIS scan. |
domain | Queried domain name. |
created | Original domain registration date/time. |
expires | Expiry date unless renewed. |
name | Registered owner name. |
organization | Associated organization. |
registrar | Registrar name. |
zipcode | Owner's postal code. |
state | Owner's registered state. |
updated | Last modification of WHOIS details. |
nshash | Hash of the nameserver value. |
nameserver | Nameserver used to link to hosting IP. |
Registered email address. | |
country | Registered country. |
address | Street address. |
city | Registered city. |
Manage Results
Feature | Function |
|---|---|
Select All | Bulk-select results. |
Copy | Copy selected/visible records. |
Export | Export current or selected data. |
Filter | Customize visible columns. |
Basic Raw Data | Download results in JSON format. |
Compare | Compare any two records. |
Save | Save search for reuse. |
Hunting Example – Lumma Stealer
Use WHOIS pivots to trace threat actor patterns. Investigate a suspicious domain like:
elephancouped[.]funPADNS tab: Identifies ASN = 13335 (Cloudflare)
WHOIS tab: reveals registrant: Klim Puzharskiy
Search Klim Puzharskiy via WHOIS Scanner → 51 linked domains.
Common traits: .fun TLD, same registrar (PDR), same registration time.
Advanced Query Example
To investigate using the Advanced Search function:
From the Silent Push homepage, select Web Data > Web Scanner > WHOIS Scan.
Select the Advanced Search tab.
Common attributes for precise fingerprinting: .fun TLD, same registrar (PDR), same registration time, nameserver information, and utilization of wildcards.
datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun"
Additional Pivots
Email field: Search for domains linked to
*@inbox.euName pattern regex: Use
name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$"to identify domains with similar name patterns.
Advanced Query with multiple attributes
datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" AND email = "*@inbox.eu" AND name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$"
Benefits
Silent Push’s WHOIS-based pivots enable users to:
Trace threat actor infrastructure despite DNS/hosting obfuscation.
Identify campaign clusters using registrar, time, email, and other metadata.
Enhance threat attribution when DNS or SSL data is insufficient.