This week we’ve got a complex query that leverages our relative time variables to identify recently-issued (within the last 6 hours) certificates that are present on hosts with exposed login pages. Certs like this could be used to impersonate an organization for phishing or MITM attacks. Thanks to Morgan on our team for highlighting it.

services: ((tls.certificate.ct.entries.value.added_to_ct_at: :now-6h to *]) and (labels: login-page))

Combine this query with fields like the following to look for hosts that could be used to impersonate a specific organization or service.

• dns.names:  �orgname]m.]com
• services.tls.certificate.names:  :orgname]a.]com
• services.tls.certificate.parsed.subject.organization: “Org Name”
• services.http.response.html_title: *torgname]*
• whois.organization.name: “Org Name”
• whois.organization.tech_contacts.email: *@torgname] .]com

This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!