Threat Hunting with 20 Urlscan.io Search Queries

 

Threat hunters often seek effective methods to detect and track command-and-control (C2) servers, open directories (commonly identified by the phrase “Index of”), and phishing infrastructure. Open directories can unintentionally expose sensitive files, malware payloads, or attacker toolkits, making them valuable indicators during threat hunting.

To support this process, I’ve compiled 20 practical URLScan.io queries that can be used to hunt for:

• Misconfigured or exposed open directories

• Potential C2 panels

• Indicators of phishing campaigns, such as spoofed login pages or malicious email payloads

These queries are designed to help security analysts uncover early-stage infrastructure and gain visibility into adversary behavior before an attack escalates.

20 Urlscan.io Search Queries :

• task.tags:”threat”

• task.tags:”opendir”

• filename:”.php”

• task.tags:(@ecarlesi AND threat AND opendir)

• task.tags:”possiblethreat”

• task.tags:”c2"

• task.tags:(c2 AND malware)

• task.tags:(@ecarlesi) AND page.url:”.php” AND task.tags:threat

• task.tags:(@ecarlesi) AND page.url:”.php” AND task.tags:possiblethret

• task.tags:(@ecarlesi) AND page.url:”.php” AND task.tags:malware

• task.tags:(@ecarlesi) AND page.url:”.php” AND task.tags:c2

• task.tags:(@ecarlesi) AND page.url:”.php” AND task.tags:phishing

• task.tags:”c2" AND page.title:”Panel”

• task.tags:”opendir” AND page.url:”evil.php”

• task.tags:”opendir” AND page.url.keyword:”con.php”

• task.tags:”opendir” AND filename:”evil.php”

• task.tags:”falconsandbox” AND page.url:””

• task.tags:”falconsandbox” AND page.title:””

• task.tags:”falconsandbox” AND page.url.keyword:””

• task.tags:”falconsandbox” AND filename:””