Skip to main content

Open directory data enhancements and suspicious directory threat, graphical investigation explorer, CensEye enhancements, and more improvements in the Platform; Chrome browser extension, and registrant email domain pivoting in ASM.

Platform

Threat Hunting

  • Build node-based pivot trees to discover, visualize, and understand connections between web assets in the Censys datasets using the Investigation Manager in the Platform web UI.
  • Use the Suspicious Directory threat to find and track web assets with open directories that contain security tools, penetration testing utilities, webshells, or other potentially malicious files. Use this threat information to find hosts and web services with suspicious files before they are leveraged in attacks.
  • Leverage the open directory visual explorer and open directory parsed fields to quickly understand directory information at a glance, including file names, sizes, last modified dates, and directory structure.
  • Made several changes to the default CensEye pivot fields for hosts, web properties, and certificates, including:
    • Added TLS fingerprinting fields (JA4S, JA3S, JA4X, JARM) for better network analysis
    • Added SSH, Cobalt Strike, and protocol-specific pivots for threat detection
    • Added HTTP metadata fields (headers, favicons, body hashes) for web analysis
    • Switched favicon hashes from MD5 to SHA256 for improved security
    • Added support for specialized protocols including SCADA, Kubernetes, and SNMP

Chrome browser extension

API

  • Added the count_by_level parameter to the aggregate endpoint to allow you to specify which document level's count is returned per term bucket, primarily for nested fields. This is the same functionality available in the Count By dropdown in the Report Builder UI.

ASM

  • Added registrant email domain pivoting to the ASM attribution process during seed discovery.
    • If ASM finds the email address registrant@censys.com associated with a domain that belongs to you, it will pivot to find other assets registered to any censys.com email address. If you accept an email domain as a seed, you will see many new registrant emails appear in the seed discovery list.
    • If you have continuous seed discovery enabled, this update may result in more frequent seed discovery emails for newly found email addresses.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

New fingerprints

Added the following fingerprints.

Type Name Description Query
risk Vulnerable CrushFTP [CVE-2025-54309] CrushFTP 11 before 11.3.4_23 (update \< 756), when the DMZ proxy feature is not used, is vulnerable to CVE-2025-54309 due to mishandled AS2 validation, allowing remote attackers to obtain admin access via HTTPS.  ASM risk query: risks.name: `Vulnerable CrushFTP CVE-2025-54309]`
software Cisco ISE Cisco Identity Services Engine (ISE) is a network access control and policy enforcement system that provides secure access via identity-based policies. Platform query
Be the first to reply!