Extracting real-time URL data with Silent Push 'Live Scan'

platform
Screenshot of Silent Push results on Live Scan

Live Scan allows you to extract real-time data from a single URL on the clearnet or darkweb, across a range of categories, and view historical scan results for the specified URL.

You can use Live Scan datasets to perform additional DNS and hash-based pivots, map out attacker TTPs, pinpoint malicious infrastructure and gather intelligence on specific attack vectors and threat groups. 

This blog will show you how to perform a Live Scan query, and how to work with the dataset to produce actionable intelligence.

‘Live Scan’ video tutorial

Before you read the blog, check out our tutorial video that covers off the basics:

Scanning a URL

Live Scan is available as part of a Silent Push Community or Enterprise subscription. There are two ways to execute a URL scan:

  1. Input any public or .onion URL into the search box on the home page, and click ‘Live Scan’
  2. Navigate to ‘Explore Web Data > Live Scan’

Viewing ‘Live Scan’ results

Scan results, including a live screenshot of the URL, are populated below the search box:

The ‘Query Results’ section contains the following data, with a range of use cases across the board:

  • HTML data: Establish site functionality and identify common phishing indicators.
  • Live screenshot: Preview how the site appears to users.
  • Favicon data, including hash values: Track hash values to identify favicon spoofing or phishing attempts.
  • Redirect chain: Identify suspicious URL destinations and attack vectors across a full redirect chain.
  • Body data, including hash values: Detect similar page layouts across attacker infrastructure. Uncover phishing kits and forms attributed to specific threat actors.
  • Open directories: Pinpoint open directories and publicly exposed data.
  • SSL data: Verify the validity of SSL certificates, identify signs of an SSL stripping attack and and assess the encryption strength of a domain.
  • Risk score of the domain and IP: View risk scores for the destination domain and hosting IP.

Pivoting across ‘Live Scan’ data

The ability to one-click pivot on domains and IPs returned in a set of Live Scan results allows you to fast-track your intelligence gathering operation and traverse attacker infrastructure quickly and more efficiently than running separate queries.

From the results screen, you can enrich any domain or IP highlighted in blue, and perform additional DNS queries using the passive DNS lookup function:

‘Live Scan’ pivot function

Hash-based pivots

You can also use any of the hash values returned to detect similar infrastructure.

Read our Knowledge Base for a full list of fuzzy and exact match hash values used within the platform, including body similarity hashes, favicon md5 and Murmur3 hashes, and proprietary script, certificate and header hash values.

Viewing historical scan results

Live Scan gives you the ability to view historical scan results related to your chosen URL, allowing you to gather all the data that’s ever been collected for a single URL.

The feature automatically executes a Web Scanner query for your chosen URL, including the relevant data source.

You can use the Web Scanner UI to adjust query parameters and narrow your search to produce targeted datasets:

Historical scan results

Working with the raw data

You can view scanned data in raw format, and copy it to the clipboard to feed into your existing security stack, or share with your team:

‘Basic Raw Data’ view

View risk scores for a URL

Risk scores help you to make operational judgements based on the likelihood of a URL being involved in malicious activity.

Risk scores are displayed for the destination URL and the hosting IP, immediately above the screenshot in the ‘Query Results’ section:

‘Live Scan’ risk scores

Establish a redirect chain

On the left-hand side of the ‘Query Results’ section, you can view the full redirect chain involved in resolving a URL to help identify attacker infrastructure.

The redirect chain shows the origin URL through to the final URL displayed in the screenshot, where a redirect exists:

‘Live Scan’ redirect chain

Register for Community Edition

Live Scan is available in both the Community and Enterprise editions of the Silent Push platform.

If you’d like to try out this feature and leverage our first-party database, sign up for the free Community edition using the link below.