EASM Threat Hunting Best Practices

Question

Hi,I was wondering what is the best way to start doing some External Attack Surface threat hunting for a specific organisation using Censys using the free community account type. Are there good way to start doing this whilst reducing any potential false positives, such as looking for a specific version of PHP seen on a server/machine rather than just PHP as a whole?

MattK_Censys · Answer

Hey there!Great question. Here’s one way to approach this, would be happy to hear what other folks think:If you have a range of IPs that you know are within your surface, make sure you’re only pivoting off of that range in your queries in the narrowest sense to reduce the amount of follow-up queriesYou can use a query like this to look for specific PHP version ranges when you’ve narrowed your search otherwise:services.software: (product: PHP and version: [8.3.0 to 8.3.7])You could create a query that combines the two like so:ip: [0.1.2.3 to 0.1.2.4] and services.software: (product: PHP and version: [8.3.0 to 8.3.7])You can also use wildcard characters to modify your returns on version info, like with the following:services.software: (product: PHP and version:8.3.*)I know you mentioned that working from a free account is important, but being able to leverage features like Matched Services from a Solo account makes parsing the results of your searches easier and finding items you want to focus on.

Sign up

Log in to the Censys Community

Scanning file for viruses.

This file cannot be downloaded