Example Queries

NOTE: ALL QUERIES ARE IN LUCENE UNLESS OTHERWISE NOTED

Stealer Logs

For now, the only data processed from stealer logs is 4 fields:

Host
Software
Username
Password

Host is typically a URL associated with where the credential was saved.

Partial Username Search

This is useful for finding breached third-party accounts (i.e. client@gmail.com) that might not use the corporate email domain.

username.partial:"blackhills"

Host Search

Partial matches are possible on search, but only on subdomains.

For example the url https://secret.bhis.co, we can match on "bhis", "bhis.co", or "secret". We cannot match on "sec".

host:"blackhills"

Passwords

Email Domain Results with Passwords

email:"*@example.com" AND _exists_:"password"

Phone Numbers

Email Domain Results with Phone Numbers

email:"*@example.com" AND _exists_:"phone_number"

High Confidence Mobile Numbers

The Parkmobile breach was a parking app, so records with phone numbers in them are HIGHLY likely to be mobile numbers. These make great SMS phishing targets.

_index:"leak_parkmobile" AND email:"*@example.com" AND _exists_:"phone_number"

Company Names

These searches will match quite a bit, so consider filtering to the exact string if you want those results

linkedin_company_name:"black hills" OR company_name:"black hills"`

Example Queries

Stealer Logs​

Partial Username Search​

Host Search​

Passwords​

Email Domain Results with Passwords​

Phone Numbers​

Email Domain Results with Phone Numbers​

High Confidence Mobile Numbers​

Company Names​