Dror Eyal

GreyNoise is a powerful search engine that allows users to investigate IP addresses for potential scanning or targeting activities on the internet. Utilizing GreyNoise Query Language (GNQL), users can refine their searches to uncover specific trends and patterns. Below are some interesting query examples that showcase the power of GreyNoise:

Attacks on Australia from China marked as malicious.

20 Search Queries Examples with GNQL:

Heartbleed Vulnerability Scans in the United States:

ja3.fingerprint:5244a012a90ad8f7e6ecbb694fda6024 country:United States raw_data.scan.protocol:TCP

Malicious Tor Exit Nodes in Germany:

tor:true classification:malicious country:Germany last_seen:>=2023-01-01

Suspicious HTTP User-Agents in San Francisco:

web.useragents:Malicious city:”San Francisco” region:California classification:unknown

Identifying Devices Scanning for SSH with Specific CVEs:

raw_data.scan.port:22 raw_data.scan.protocol:TCP (cve:CVE-2023-12345 OR cve:CVE-2023-54321)

VPN Usage by Specific Organization:

pn_service:ExpressVPN organization:”Google” classification:benign

RDP Vulnerability Scans with Bot Activity:

tags:”RDP Scanner” bot:true classification:malicious

Recent CVEs in a Single Destination Country:

(cve:CVE-2023-12345 OR cve:CVE-2023-54321) single_destination:true last_seen:>=2023-01-01

Scanning for SCADA Protocols in Europe:

(tags:”Modbus” OR tags:”DNP3″) rdns:.gov

Malicious Devices in Berlin with Specific HASSH Fingerprint:

region:Europe city:”Berlin” classification:malicious hassh.fingerprint:aabbccddeeff00112233

Devices with Specific CVEs and ASN:

(cve:CVE-2023-12345 OR cve:CVE-2023-54321) asn:AS12345 classification:malicious

Vulnerable Web Paths in the US:

web.paths:”/wp-admin/” OR web.paths:”/admin/” country_code:US classification:benign

Devices with Malicious HASSH Fingerprint in Microsoft Network:

hassh.fingerprint:aabbccddeeff00112233 organization:”Microsoft” classification:malicious

Unknown Classification in Tokyo with Specific Tags:

region:Asia city:”Tokyo” classification:unknown tags:”AdvancedPersistentThreat”

CVEs with Specific Reverse DNS in Educational Institutions:

(cve:CVE-2023-12345 OR cve:CVE-2023-54321) rdns:.edu single_destination:true

Suspicious HTTP User-Agents in Canada via Tor:

tor:true web.useragents:Suspicious country:Canada last_seen:>=2023-01-01

Specific ASN Scanning for HTTP Paths:

asn:AS12345 web.paths:”/exchange/” OR web.paths:”/owa/”

Malicious Activity in France by Siemens:

country_code:FR classification:malicious organization:”Siemens” last_seen:>=2023-01-01

Windows Devices Scanning for Port 445 with Specific Tags:

(raw_data.scan.port:445 AND raw_data.scan.protocol:TCP) os:Windows* tags:”Conficker” OR tags:”EternalBlue”

HTTP Paths with Matching JA3 Fingerprint:

web.paths:”/login/” OR web.paths:”/admin/” ja3.fingerprint:795b7ce13f60d61e9ac03611dd36d90

Specific Organization Scanning Specific Ports with Bot Activity:

organization:”Amazon” (raw_data.scan.port:80 OR raw_data.scan.port:443) bot:true last_seen:>=2023-01-01