This week I’m highlighting a query that you can use to find sites that have an executable file in their index. Hosts that are returned by this query could be worth further investigating to determine whether they are being used for malicious purposes. This query uses regex to include a number of different file extensions but you can use a simpler, regex-free version of it with wildcards or specific executable file names.

services: (http.response.html_title:"index of" and http.response.body=/.*\.(js|exe|app|vb|scr).*/)

If you have identified a specific executable file of interest (for example, nc.exe), you could use that for the value for the services.http.response.body field, as Matthew from Embee Research did in his excellent guide to tracking malware with Censys.

This is part of a regular series of posts in which we highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!