mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 11:44:37 +03:00
mukul975
1.8 KiB
1.8 KiB
Standards & References: Analyzing Malicious URLs with URLScan
MITRE ATT&CK References
- T1566.002: Phishing: Spearphishing Link
- T1204.001: User Execution: Malicious Link
- T1608.005: Stage Capabilities: Link Target
- T1071.001: Application Layer Protocol: Web Protocols
- T1102: Web Service (for C2 via web)
URLScan.io API Reference
| Endpoint | Method | Description |
|---|---|---|
/api/v1/scan/ |
POST | Submit URL for scanning |
/api/v1/result/{uuid}/ |
GET | Get scan results |
/api/v1/search/?q= |
GET | Search scan database |
/api/v1/result/{uuid}/screenshot/ |
GET | Get page screenshot |
/api/v1/result/{uuid}/dom/ |
GET | Get rendered DOM |
Search Query Syntax
domain:example.com- Search by domainip:1.2.3.4- Search by IPserver:nginx- Search by web serverfilename:login.php- Search by filenamehash:abc123- Search by resource hashpage.domain:example.com AND date:>now-7d- Combined queries
Industry Standards
- NIST SP 800-83: Guide to Malware Incident Prevention and Handling
- NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
- RFC 3986: Uniform Resource Identifier (URI) syntax
URL Classification Indicators
| Indicator | Risk Level | Description |
|---|---|---|
| Domain age < 7 days | Critical | Very recently registered |
| Domain age < 30 days | High | Recently registered |
| Free TLS cert (Let's Encrypt) with brand impersonation | High | Common phishing pattern |
| URL shortener | Medium | Obfuscates destination |
| Credential input form on non-brand domain | Critical | Credential harvesting |
| JavaScript obfuscation | High | Evasion technique |
| Multiple redirects | Medium | Chain obfuscation |
| Data URI scheme | High | Inline content, hard to trace |