Featured reads
Security Research
Security research and analysis with Netlas.io
white paper
Fast one-shot passive recon script with Netlas.io
blog post
How to find online cameras with Netlas.io?
blog post
Threat hunting
Non-intrusive security assessment
OSINT investigations
Reputation scoring
Security analysis
Security of IoT and Industrial devices
Vulnerable devices search
Uncover shadow IT and phishing threats
Attack surface identification
3-4 times per year
Please, sign in to manage newsletter subscription
Important updates, sales and promos
1-2 posts per week
Newest CVE, featured search queries
updates and announcements
Swagger UI
Handy web tool for testing Netlas API
Official Python SDK and command line utility
Netlas SDK
Netlas Blog
In-depth features overview & case studies
Netlas Cookbook
An ultimate guide on how to make the most of Netlas.io
Scripts & Code Samples
Useful scripts to create you own automations
Featured queries
Search queries for IoT, routers, IP cameras & more
Netlas usage, API specification, SDK & CLI installation
Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Reconnaissance, security assessment, security research,
and other cases
dev tools,
code samples,
and other resources

Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Netlas For security RESEARCH

Threat hunting with Netlas.io

By using Netlas proactively, security teams can uncover potential threats even before they are exploited.
Netlas provide visibility into devices and services exposed to the internet. This data allows for effective use of the search engine within threat hunting, primarily for identifying infrastructure owned by malicious actors.
Utilizing Netlas, a threat hunter can quickly identify IOCs (Indicators of compromise) of a specific malicious software, search for other instances of such software using IOCs as a search patterns, and promptly stop interaction with malicious infrastructure.
An example of IOCs and search query for open-source phishing framework is given in another case concerning IP reputation scoring. Another great example is the search for malicious servers.

Search for C&C servers

Command and Control (C&C) servers employed by malicious actors to control infected computers, typically hide or masquerade as something legitimate. Researchers need to consider various factors and their combinations to create search pattern. Possible indicators include:
  • fields in the service response headers;
  • title and content of the returned web page (for web);
  • favicon (for web);
  • used ports and protocols;
  • SSL certificate and secure connection settings;
  • specific error codes or error messages, etc.
Search by SSL certificates is often the most effective. Since certificates are not issued for each instance separately, their match indicates the use of the same software. Verification can be done based on JARM fingerprint for TLS and hashes for SSL. Using this approach, you can find, for example, Metasploit servers or or Cobalt Strike software. In addition to hashes and fingerprints, the search can be carried out using fields such as subject, issuer, and so on.
All the features mentioned above are available for search on Netlas. By identifying several IOCs and assessing the significance of each, the researcher can create a search query that will identify C&C servers using Netlas.
Similarly, services used for penetration testing, frameworks for emulation or execution of attacks, phishing attack frameworks, sites infected with crypto-miners, and much more can be found.
Get your free Netlas.io account!
Sign up to get up to 50 requests/day for free.

Related articles