Changelog
🔑 GET YOUR FREE API KEY🤖 AI Assistant
Start typing to search…

{ New } - Company Search Endpoint

by Dan Benshitrit

Docs: Search by Company Endpoint | Get Company IDs

  • Added a new endpoint: POST /search-by-company

    Purpose: Enables targeted compromise searches within a specific company's digital asset portfolio, supporting unified querying across corporate domains, mobile applications (APKs), and external third-party services.

  • Prerequisites: Use the GET /my-account endpoint to retrieve your available company_id values before using this search capability.

    • Response includes:

      • stealer: Associated stealer ID and compromise metadata for correlation

      • credentials: Filtered credential data matching specified company assets and search criteria

      • ip: IP address and system information from compromised machines

      • computer_name: Name of the compromised computer for asset identification

      • date_compromised: Timeline data for incident response and forensic analysis

      • date_uploaded: When the compromise data was integrated into the platform

        This enterprise-focused search capability provides comprehensive organizational compromise assessment with intelligent asset correlation. The endpoint features smart external domain logic that automatically includes the company name as a keyword when searching external domains, enhancing third-party risk detection and shadow IT discovery workflows.


Example Request:

curl --request POST \
     --url https://api.hudsonrock.com/json/v3/search-by-company \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>' \
     --header 'content-type: application/json' \
     --data '{
       "company_id": "695cebd77ef1529e2862efea",
       "company_asset_types": ["domains", "external_domains"],
       "keywords": ["admin", "portal"],
       "types": ["employees"],
       "subdomains": ["auth", "vpn"],
       "sort_by": "date_compromised"
     }'

Use Cases:

  • Enterprise Security Assessment: Comprehensive compromise monitoring across all company digital assets including corporate domains, mobile applications, and third-party services
  • Asset-Specific Investigation: Granular searches within specific asset categories (domains, APKs, external domains) based on organizational security requirements
  • Third-Party Risk Management: Enhanced detection of compromises in external services through intelligent company name correlation and keyword matching
  • Incident Response: Focused threat hunting within organizational asset portfolios for rapid impact assessment and containment planning
  • Shadow IT Discovery: Identification of unauthorized external services and applications through external domain compromise correlation with company identifiers

{ New } - Account Management Endpoint

by Dan Benshitrit

Docs: My Account Endpoint

  • Added a new endpoint: GET /my-account

Purpose: Provides comprehensive self-service account information and API permissions for authenticated users based on their API key authentication.

  • Response includes:
    • name: User's full name and contact information
    • email: Primary account email address
    • companies: List of associated company configurations (when available)
    • domains/external_domains/apps: Asset configuration for non-enterprise accounts
    • alert_emails: Configured notification recipients for security alerts
    • date_created: Account creation timestamp for audit trails
    • permissions: Categorized API access controls organized by data, search, visibility, and filtering categories

Example Request:

curl --request GET \
     --url https://api.hudsonrock.com/json/v3/my-account \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>'

Use Cases:

  • Permission Auditing: Self-service visibility into API access levels and categorized permissions for compliance workflows
  • Account Verification: Validate configured assets, notification settings, and account metadata
  • Company ID Discovery: Retrieve company identifiers for use with enterprise search endpoints
  • Integration Planning: Understand available API capabilities and access scope for application development
  • Governance & Compliance: Audit trail access and permission verification for security assessments

{ New } - Search by Term Endpoint

by Dan Benshitrit

Docs: Search by Term Endpoint

  • Added a new endpoint: POST /search-by-term
  • Purpose: Provides comprehensive search capabilities through browser history data from compromised machines to identify specific search terms and queries.
  • Response includes:

    • search_query: The actual search term or query found in browser history.

    • search_engine: The search engine platform where the query was made (Google, Bing, etc.).

    • timestamp: When the search query was performed.

    • stealer: Associated stealer ID for correlation with other compromise data.

    • ip: IP address of the compromised machine.

    • computer_name: Name of the compromised computer.

      This new capability enhances threat hunting and behavioral analysis workflows by enabling security teams to identify suspicious search patterns, monitor for breach awareness, and correlate user intent with compromise timelines.

Example Request:

curl --request POST \
     --url https://api.hudsonrock.com/json/v3/search-by-term \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>' \
     --header 'content-type: application/json' \
     --data '{
       "search_terms": ["how to hack", "malware removal", "vpn bypass"],
       "start_date": "2024-01-01T00:00:00Z",
       "sort_by": "date_compromised",
       "sort_direction": "desc"
     }'

Use Cases:

  • Threat Intelligence: Identify users searching for hacking techniques, malware, or security bypasses
  • Incident Response: Correlate search activity with compromise timelines to understand attack progression
  • Security Awareness: Detect employees searching for breach-related terms indicating compromise awareness
  • Behavioral Analysis: Monitor search patterns that may reveal insider threats or targeted attack indicators

{ New } - Search Data Field

by Dan Benshitrit

Added search_data Field to API (additional_fields)

We've added a new optional field in the additional_fields array of our API:
🔍 search_data

This field provides search engine queries and terms found in the browsing history of compromised machines, giving deep insight into user search behavior and potential security-related activities.

  • Field name: "search_data"
  • Field type: string (enum value within additional_fields)
  • Description: Adds information about search terms found in browsing history search engine results from infected devices, revealing user intent and potential threat indicators.

What it does:

  • Retrieves and displays search queries made by users on compromised machines
  • Captures search engine activity across different browsers and search platforms
  • Useful for behavioral analysis, threat hunting, and identifying suspicious search patterns that may indicate malicious intent or compromise awareness

Request Body Example:

curl --request POST \
     --url https://api.hudsonrock.com/json/v3/search-by-domain \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>' \
     --header 'content-type: application/json' \
     --data '
{
  "domains": [
    "tesla.com",
    "teslamotors.com"
  ],
  "types": ["employees"],
  "keywords": ["sso"],
  "keywords_match": "any",
  "filter_credentials": true,
  "additional_fields": ["search_data"]
}

Response Example:

{
    "_id": "67a08ccd465561f4625e840f",
    "stealer": "...",
    "stealer_family": "Lumma",
    "date_uploaded": "2025-02-03T09:30:52.468Z",
    "employeeAt": [
        {
            "..."
        }
    ],
    "clientAt": [
        {
            "..."
        }
    ],
    "date_compromised": "2025-01-25T12:03:26.000Z",
    "ip": "...",
    "computer_name": "...",
    "operating_system": "...",
    "malware_path": "...",
    "credentials": [
        {
            "url": "https://sso.tesla.com/adfs/ls",
            "domain": "tesla.com",
            "username": "••••••••••@tesla.com",
            "password": "••••••••••",
            "type": "employee"
        }
    ],
    "search_data": [
        {
            "search_query": "how to remove malware from computer",
            "search_engine": "google.com",
            "timestamp": "2025-01-24T15:30:22.000Z"
        },
        {
            "search_query": "corporate vpn access remote work",
            "search_engine": "bing.com", 
            "timestamp": "2025-01-24T09:15:10.000Z"
        },
        {
            "search_query": "password manager security best practices",
            "search_engine": "duckduckgo.com",
            "timestamp": "2025-01-23T14:45:33.000Z"
        }
    ]
}

Use Cases:

  • Threat Hunting: Identify users searching for malware removal, suspicious software, or hacking techniques
  • Behavioral Analysis: Understand user intent and activities leading up to or following a compromise
  • Security Awareness: Detect employees searching for security-related topics that may indicate awareness of a breach
  • Incident Response: Correlate search activity with compromise timelines for forensic analysis
  • Risk Assessment: Identify high-risk search patterns that may indicate insider threats or targeted attacks

{ New } - Search by PC Name Endpoint

by Dan Benshitrit

🖥️ Search by PC Name Endpoint

  • New endpoint: /json/v3/search-by-pc
  • Category: End User Protection
  • Purpose: Search for compromises by computer/machine name
  • Use case: Asset-based threat hunting and infrastructure security monitoring

📋 Request Parameters

Required

  • pcs: Array of computer names to search for
  • Type: Array of strings
  • Limit: 1-50 computer names per request
  • Example: ["ADMIN", "WORKSTATION-01", "LAPTOP-DEV"]
  • Case handling: Case-insensitive matching

Optional (Inherited from Common Parameters)

  • sort_by: Sort field (date_compromised, date_uploaded)
  • sort_direction: Sort direction (asc, desc)
  • types: Filter by credential types (employees, users, third_parties)
  • domains: Domain filtering for targeted searches
  • keywords: URL keyword filtering
  • cursor: Pagination cursor for large result sets
  • start_date/end_date: Temporal filtering options
  • additional_fields: Extended data inclusion options

{ New } - Subdomain Filtering Feature

by Dan Benshitrit

✨ New Features

🎯 Subdomain Filtering for Domain Search

  • Added subdomains parameter to /search-by-domain endpoint
  • Filtering capability: Matches against subdomain portions of URLs (e.g., "auth" in "auth.example.com")
  • Key difference from keywords:
    • 🎯 Subdomains: Matches only the subdomain portion of URLs
    • 🔍 Keywords: Matches across the entire URL including paths, parameters, and subdirectories
  • Limit: Maximum 5 subdomains per request
  • Example usage: {"domains": ["example.com"], "subdomains": ["auth", "admin"]}

🔒 Validation Rules

  • Mutual exclusivity: subdomains cannot be used with:
    • keywords or keywords_match parameters
    • external_domains parameter
  • Clear error messages for invalid parameter combinations

{ New } - Advanced Search Endpoint

by Dan Benshitrit

🚀 New Endpoint: POST /advanced-search

Summary

A powerful new endpoint for performing advanced compromise intelligence queries using multiple filters, supporting large-scale threat investigations across employee and user data.

🔍 Description

The /advanced-search endpoint enables clients to execute fine-grained searches across potentially compromised domains using a wide range of filters. Designed for advanced use cases like enterprise threat monitoring, incident response, and intelligence aggregation.

📥 Request Body

Supports a JSON payload with at least one filter required. The following filters are available:

🔑 Primary Filters

  • domains[] – Root domains (max 500)
  • min_employees_compromised, max_employees_compromised
  • min_users_compromised, max_users_compromised
  • last_employee_compromised, last_user_compromised (ISO 8601)
  • last_employee_uploaded, last_user_uploaded (ISO 8601)

🏢 Enrichment Filters

  • company_sizes[] – E.g., ["1-10", "5001-10000"]
  • industries[] – Accepts any from 147+ industries
  • countries[] – Accepts any of 247 countries

📊 Sorting & Pagination

  • sort_by – One of:

    • last_employee_compromised
    • last_user_compromised
    • last_employee_uploaded
    • last_user_uploaded
    • compromised_employees
    • compromised_users

  • sort_directionasc or desc (default: desc)

  • cursor – Base64-encoded string for pagination

📤 Response Format

Returns a JSON object containing:

  • data[] – List of matching domain summaries with:

    • domain, compromised_employees, compromised_users
    • last_employee_compromised, last_user_compromised
    • last_employee_uploaded, last_user_uploaded
    • company_size, industry, country
    • sensitive_applications[]

  • nextCursor – Cursor for pagination

⚠️ Error Responses

  • 400 – Validation error
  • 401 – Unauthorized
  • 403 – Forbidden
  • 404 – Not found
  • 408 – Request timeout
  • 429 – Rate limit exceeded
  • 500 – Internal server error

📘 Notes

  • At least one filter is required to trigger a search.
  • Designed for high-scale forensic or investigative queries.
  • Country and industry filters reference live values at: /company-filters.json

{ New} - Directory Tree Field

by Dan Benshitrit

Added dir_tree Field to API (additional_fields)

We’ve added a new optional field in the additional_fields array of our API:
📂 dir_tree

This field provides the full directory tree structure of a compromised machine, giving deep visibility into its file system layout.

  • Field name: "dir_tree"
  • Field type: string (enum value within additional_fields)
  • Description: Adds the complete directory tree of the compromised machine, which can help uncover sensitive file locations, misconfigurations, or other potential attack vectors.

What it does:

  • Retrieves and displays the directory hierarchy, including subdirectories and nested files.
  • Useful for spotting exposed configuration files, backup folders, logs, and other assets that could be leveraged in further attacks.

Request Body Example:

curl --request POST \
     --url https://api.hudsonrock.com/json/v3/search-by-domain \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>' \
     --header 'content-type: application/json' \
     --data '
{
  "domains": [
    "tesla.com",
    "teslamotors.com"
  ],
  "types": ["employees"],
  "keywords": ["sso"],
  "keywords_match": "any",
  "filter_credentials": true,
  "additional_fields": ["dir_tree"]
}
'

Response Example:

{
    "_id": "67a08ccd465561f4625e840f",
    "stealer": "...",
    "stealer_family": "Lumma",
    "date_uploaded": "2025-02-03T09:30:52.468Z",
    "employeeAt": [
        {
            "..."
        }
    ],
    "clientAt": [
        {
            "..."
        }
    ],
    "date_compromised": "2025-01-25T12:03:26.000Z",
    "ip": "...",
    "computer_name": "...",
    "operating_system": "...",
    "malware_path": "...",
    "antiviruses": [
        {
            "..."
        }
    ],
    "credentials": [
        {
            "url": "https://sso.tesla.com/adfs/ls",
            "domain": "tesla.com",
            "username": "••••••••••,@tesla.com",
            "password": "••••••••••",
            "type": "employee",
            "password_strength": {
                "contains": [
                    "lowercase",
                    "symbol"
                ],
                "length": 10,
                "id": 1,
                "value": "Weak"
            }
        }
    ],
    "dir_tree": {
        "name": "<REDACTED>",
        "type": "directory",
        "children": [
            {
                "name": "Applications",
                "type": "directory",
                "children": [
                    {
                        "name": "Steam",
                        "type": "directory",
                        "children": [
                            {
                                "name": "Tokens.txt",
                                "type": "file"
                            }
                        ]
                    },
                    {
                        "name": "AnyDesk",
                        "type": "directory",
                        "children": [
                            {
                                "name": "service.conf",
                                "type": "file"
                            },
                            {
                                "name": "user.conf",
                                "type": "file"
                            },
                            {
                                "name": "system.conf",
                                "type": "file"
                            }
                        ]
                    },
                    {
                        "name": "Discord",
                        "type": "directory",
                        "children": [
                            {
                                "name": "DiscordTokens.txt",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "All Passwords.txt",
                "type": "file"
            },
            {
                "name": "Brute.txt",
                "type": "file"
            },
            {
                "name": "System.txt",
                "type": "file"
            },
            {
                "name": "Software.txt",
                "type": "file"
            },
            {
                "name": "Processes.txt",
                "type": "file"
            },
            {
                "name": "GoogleAccounts",
                "type": "directory",
                "children": [
                    {
                        "name": "Restore_Chrome_Default.txt",
                        "type": "file"
                    }
                ]
            },
            {
                "name": "DomainDetect.txt",
                "type": "file"
            },
            {
                "name": "Cookies",
                "type": "directory",
                "children": [
                    {
                        "name": "Cookies_Brave_Default.txt",
                        "type": "file"
                    },
                    {
                        "name": "Cookies_Edge_Default.txt",
                        "type": "file"
                    },
                    {
                        "name": "Cookies_Chrome_Default.txt",
                        "type": "file"
                    }
                ]
            },
            {
                "name": "Chrome",
                "type": "directory",
                "children": [
                    {
                        "name": "Default",
                        "type": "directory",
                        "children": [
                            {
                                "name": "History.txt",
                                "type": "file"
                            },
                            {
                                "name": "Autofills.txt",
                                "type": "file"
                            },
                            {
                                "name": "Cookies.txt",
                                "type": "file"
                            },
                            {
                                "name": "Passwords.txt",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "Edge",
                "type": "directory",
                "children": [
                    {
                        "name": "Default",
                        "type": "directory",
                        "children": [
                            {
                                "name": "History.txt",
                                "type": "file"
                            },
                            {
                                "name": "Cookies.txt",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "Opera GX Stable",
                "type": "directory",
                "children": [
                    {
                        "name": "Opera GX Stable",
                        "type": "directory",
                        "children": [
                            {
                                "name": "History.txt",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "Brave",
                "type": "directory",
                "children": [
                    {
                        "name": "Default",
                        "type": "directory",
                        "children": [
                            {
                                "name": "History.txt",
                                "type": "file"
                            },
                            {
                                "name": "Cookies.txt",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "Wallets",
                "type": "directory",
                "children": [
                    {
                        "name": "Phantom_Chrome_Default",
                        "type": "directory",
                        "children": [
                            {
                                "name": "002373.log",
                                "type": "file"
                            },
                            {
                                "name": "LOG.old",
                                "type": "file"
                            },
                            {
                                "name": "MANIFEST-000001",
                                "type": "file"
                            },
                            {
                                "name": "CURRENT",
                                "type": "file"
                            },
                            {
                                "name": "LOG",
                                "type": "file"
                            },
                            {
                                "name": "002375.ldb",
                                "type": "file"
                            }
                        ]
                    }
                ]
            },
            {
                "name": "Important Files",
                "type": "directory",
                "children": [
                    {
                        "name": "Profile",
                        "type": "directory",
                        "children": [
                            {
                                "name": "Downloads",
                                "type": "directory",
                                "children": [
                                    {
                                        "name": "Beige Pass Board.pdf",
                                        "type": "file"
                                    }
                                ]
                            }
                        ]
                    },
                    {
                        "name": "Desktop",
                        "type": "directory",
                        "children": [
                            {
                                "name": "README.txt",
                                "type": "file"
                            },
                            {
                                "name": "Download Files",
                                "type": "directory",
                                "children": [
                                    {
                                        "name": "ReadMe.txt",
                                        "type": "file"
                                    }
                                ]
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

{ New } - Sensitive Applications Field

by Dan Benshitrit

Added sensitive_applications Field to API (additional_fields)

We’ve added a new optional field in the additional_fields array of our API:
🔍 sensitive_applications

This field enriches external domain results with insight into potentially sensitive applications exposed within the compromised machine’s URL structure.

Field name: "sensitive_applications"

Field type: string (enum value within additional_fields)

Description: Adds detection of sensitive applications based on a predefined list of known high-risk web apps and services.

What it does:

Parses compromised URLs to identify references to sensitive applications (e.g. admin panels, security consoles, developer tools, cloud management platforms, etc.).

Flags presence of these apps to help prioritize remediation based on risk exposure.

Request Body Example:

curl --request POST \
     --url https://api.hudsonrock.com/json/v3/search-by-domain \
     --header 'accept: application/json' \
     --header 'api-key: <API_KEY>' \
     --header 'content-type: application/json' \
     --data '
{
  "domains": [
    "tesla.com",
    "teslamotors.com"
  ],
  "types": ["employees"],
  "keywords": ["sso"],
  "keywords_match": "any",
  "filter_credentials": true,
  "additional_fields": ["sensitive_applications"]
}
'

Response Example:

{
   "_id":"67a08ccd465561f4625e840f",
   "stealer":"...",
   "stealer_family":"Lumma",
   "date_uploaded":"2025-02-03T09:30:52.468Z",
   "employeeAt":[
      {
         "..."
      }
   ],
   "clientAt":[
      {
         "..."
      }
   ],
   "date_compromised":"2025-01-25T12:03:26.000Z",
   "ip":"...",
   "computer_name":"...",
   "operating_system":"...",
   "malware_path":"...",
   "antiviruses":[
      {
         "..."
      }
   ],
   "credentials":[
      {
         "url":"https://sso.tesla.com/adfs/ls",
         "domain":"tesla.com",
         "username":"••••••••••,@tesla.com",
         "password":"••••••••••",
         "type":"employee",
         "password_strength":{
            "contains":[
               "lowercase",
               "symbol"
            ],
            "length":10,
            "id":1,
            "value":"Weak"
         }
      }
   ],
   "sensitive_applications":[
      {
         "name":"adfs",
         "description":"Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries."
      },
      {
         "name":"sso",
         "description":"Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors."
      }
   ]
}

{ New } - Password Strength Analysis

by Dan Benshitrit

Added password_strength Field to API (additional_fields)

We’ve added support for a new optional field in the additional_fields array of our API:
🔐 password_strength

This field enables password strength analysis for each exposed credential returned in external domain results.
It helps assess the quality and security of compromised passwords, and identify weak credentials that may require proactive resets or policy enforcement.

Field name: "password_strength"

Field type: string (enum value within additional_fields)

Description: Adds strength analysis for each password using entropy and pattern checks.

Implementation details:

Categorizes each password as one of: Too weak, Weak, Medium, or Strong.

Formula:

[
  {
    id: 0,
    value: "Too weak",
    minDiversity: 0,
    minLength: 0
  },
  {
    id: 1,
    value: "Weak",
    minDiversity: 2,
    minLength: 8
  },
  {
    id: 2,
    value: "Medium",
    minDiversity: 4,
    minLength: 10
  },
  {
    id: 3,
    value: "Strong",
    minDiversity: 4,
    minLength: 12
  }
]