--- title: "WHOIS Search" slug: "whois-search" updated: 2025-12-31T16:51:44Z published: 2025-12-31T16:51:44Z canonical: "help.silentpush.com/whois-search" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # WHOIS Search Silent Push performs a comprehensive WHOIS Search to extract, enrich, and correlate registrar-based ownership data for domains observed globally. This process aids SOC teams and security analysts in infrastructure mapping, threat actor attribution, and campaign tracking. ## What We Collect **Registrant Name & Email:** Enables identification of individual or organizational ownership. **Registrar Information:** Tracks registration through known registrars, especially those commonly used in abuse. **Domain Creation, Update, and Expiry Dates:** Vital for identifying domain age, renewal behaviors, and suspicious time-based patterns. **WHOIS Server:** Useful for source tracing and validation. **Nameservers:** Allows detection of shared infrastructure and DNS hosting patterns. **Organization & Address Info:** Additional signals for corporate vs. individual ownership. ## Use WHOIS Search To investigate domain ownership and registration patterns: 1. From the Silent Push homepage, select **WHOIS Data** > **WHOIS Search**. 2. Build Your Query: - In **Field Name**, type or select a WHOIS field (e.g., name, email, created, etc.). - Choose an **Operator** (equals, !=, contains, >, <, etc.). - Enter the **Value**. - Optionally add multiple conditions using **. 3. Click **Search**. ## Results Table | Result Type | Description | | --- | --- | | scan_date | Date/time of the WHOIS scan. | | domain | Queried domain name. | | created | Original domain registration date/time. | | expires | Expiry date unless renewed. | | name | Registered owner name. | | organization | Associated organization. | | registrar | Registrar name. | | zipcode | Owner’s zip/postal code. | | state | Owner's registered state. | | updated | Last modification of WHOIS details. | | nshash | Hash of the nameserver value. | | nameserver | Nameserver used to link to the hosting IP. | | email | Registered email address. | | country | Registered country. | | address | Street address. | | city | Registered city. | ## Manage Results | Feature | Function | | --- | --- | | Select All | Bulk-select results. | | Copy | Copy selected/visible records. | | Export | Export current or selected data. | | Filter | Customize visible columns. | | Basic Raw Data | Download results in JSON format. | | Compare | Compare any two records. | | Save | Save search for reuse. | ### Hunting Example – Lumma Stealer Use WHOIS pivots to trace threat actor patterns. Investigate a suspicious domain like: ```plaintext elephancouped[.]fun ``` - **PADNS tab**: Identifies ASN = 13335 (Cloudflare) ![image.png](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/image%2828%29.png) - **WHOIS tab**: reveals registrant: Klim Puzharskiy ![image.png](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/image%2829%29.png) - Search Klim Puzharskiy via WHOIS Search → 51 linked domains. - Common traits: .fun TLD, same registrar (PDR), same registration time. ![image.png](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/image%2830%29.png) ### Advanced Query Example To investigate using the **Advanced Search** function: 1. From the left navigation menu, select **Web Data > Web Search > WHOIS Scan**. 2. Select the **Advanced Search**tab**.** 1. Common attributes for precise fingerprinting include the .fun TLD, the same registrar (PDR), the same registration time, nameserver information, and the use of wildcards. ```plaintext datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" ``` ### Additional Pivots - **Email field**: Search for domains linked to `*@inbox.eu` - **Name pattern regex**: Use `name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$"` to identify domains with similar name patterns. ## Advanced Query with Multiple Attributes ```plaintext datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" AND email = "*@inbox.eu" AND name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$" ``` ### Benefits Silent Push’s WHOIS-based pivots enable users to: - Trace threat actor infrastructure despite DNS/hosting obfuscation. - Identify campaign clusters using registrar, time, email, and other metadata. - Enhance threat attribution when DNS or SSL data is insufficient. A tool that queries the WHOIS protocol on TCP port 43 to retrieve domain registration details, enabling analysis of ownership, registrar, and other metadata for threat intelligence.