Hey hey folks, this week I’ve got a query that leverages our new suspicious open directory label. While simply running labels: suspicious-open-dir can be a good starting point in general, combining it with other information of interest can get you really moving in an investigation. Try the following with hosts:
labels: suspicious-open-dir and services.http.response.body: "cve"
This will return hosts with the suspicious open directory label and “cve” in the service response body. Sub a different indicator of interest in there and take it away!
This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!
