Skip to main content

Hey hey folks, this week I’ve got a query that leverages our new suspicious open directory label. While simply running labels: suspicious-open-dir can be a good starting point in general, combining it with other information of interest can get you really moving in an investigation. Try the following with hosts:

labels: suspicious-open-dir and services.http.response.body: "cve"

This will return hosts with the suspicious open directory label and “cve” in the service response body. Sub a different indicator of interest in there and take it away!

This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!

I have seen after upgrading to Censys platform this query is no longer showing results. labels: suspicious-open-dir and services.http.response.body: "cve"  which is converted by Query converter host.services.labels.value="SUSPICIOUS_DIRECTORY " and host.services.endpoints.http.body:"cve"

The suspicious open directory label is not currently present in the Censys Platform datasets. However, we have some exciting plans to incorporate the info that was used for the suspicious open directory label into a new component of the Platform in the near future. Stay tuned!

In the meantime, you could target the OPEN_DIRECTORY label with a similar query, like so:

host.services.labels.value="OPEN_DIRECTORY" and host.services.endpoints.http.body:"cve"

Reply


Terms & ConditionsCookie settings
Censys logo

censys.com | Knowledge Base | Censys Search | Contact Us