Skip to main content

Cool Query of the Week for October 10, 2024: Using the new suspicious open directory label

  • October 10, 2024
  • 2 replies
  • 109 views

MattK_Censys
Forum|alt.badge.img+2

Hey hey folks, this week I’ve got a query that leverages our new suspicious open directory label. While simply running labels: suspicious-open-dir can be a good starting point in general, combining it with other information of interest can get you really moving in an investigation. Try the following with hosts:

labels: suspicious-open-dir and services.http.response.body: "cve"

This will return hosts with the suspicious open directory label and “cve” in the service response body. Sub a different indicator of interest in there and take it away!

This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!

I have seen after upgrading to Censys platform this query is no longer showing results. labels: suspicious-open-dir and services.http.response.body: "cve"  which is converted by Query converter host.services.labels.value="SUSPICIOUS_DIRECTORY " and host.services.endpoints.http.body:"cve"


MattK_Censys
Forum|alt.badge.img+2
  • Censys Community Manager
  • March 31, 2025

The suspicious open directory label is not currently present in the Censys Platform datasets. However, we have some exciting plans to incorporate the info that was used for the suspicious open directory label into a new component of the Platform in the near future. Stay tuned!

In the meantime, you could target the OPEN_DIRECTORY label with a similar query, like so:

host.services.labels.value="OPEN_DIRECTORY" and host.services.endpoints.http.body:"cve"


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings