Advanced Censys Search Methods and Queries
After reviewing Censys Query Language Syntax and common host queries and certificate queries, you may want to try using more advanced queries. Use the queries on this page as a starting point for conducting more advanced investigations.
Related reads from the Research team:
Exploring Threat Activity
Open directories
services.http.response.html_title: “Index of /”
Cobalt Strike Beacons
services.cobalt_strike: *
Compromised MikroTik Routers
services.service_name: MIKROTIK_BW and “HACKED
Services on port 53 that are not DNS
services: (port: 53 and not service_name: DNS) and services.truncated: false
Network devices with exposed login pages
services: (labels:{network.device, login-page})
Deimos C2
services: (services.port: 8443 and (http.response.html_title="Deimos C2" or tls.certificates.leaf_data.subject.organization="Acme Co"))
Posh C2
services.tls.certificate.parsed.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"
Incident Response: Queries for a Zero-Day
You can use Censys Search when responding to a zero-day vulnerability disclosure.
When a zero-day hits, the Censys Research team deploys rapid response articles that explain the scope and impact of the attack. We also include the queries that you can run to determine if you are affected.
MOVEit CVE
services.http.response.favicons.md5_hash=af8bf513860e22425eff056332282560
CVE-2023-20198 Cisco IOS-XE
labels=`cisco-xe-webui`
CVE-2023-44487 HTTP/WHO?
services.http.supports_http2: true
CVE-2023-30799 MikroTik RouterOS
services.http.response.html_title: "RouterOS router configuration page"
Meta/Facebook Pixel Trackers
Use Censys Search to determine the presence of Meta Pixel Javascript code, which tracks website user activity through cookies and sends information back to Meta, which can pose a problem for sensitive data.
Use the following query to determine the presence of Meta Pixel code on your websites.
Comments
0 comments
Article is closed for comments.