Howdy! This week I’m sharing a query that targets certificates. Use this to find certs that were added to the Censys dataset within the past week that are being used on spoofed domains that could indicate suspicious behavior. Combine this with known malicious domains to stay ahead of potential risks.

In this example, I used dnstwister to find suspect domains that might be impersonating censys.com. You could use regex instead to match patterns.

(densys.com or xensys.com or ce.nsys.com) and added_at:tnow-1w to now]

This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!