1. Censys
  2. Censys Search
  3. Advanced Searching

Other Articles In This Section

In this article:

Advanced Search Methods and Queries

  • Updated

With basic queries mastered, here’s how to conduct more advanced searches.

Interesting reads from our Research team:

Queries to serve as a starting point for conducting a more advanced investigation are listed below.

Exploring Threat Activity & Other Interesting Artifacts

Open directories:

services.http.response.html_title: “Index of /”

Try it

Cobalt Strike Beacons:

services.cobalt_strike: *

Try it

Compromised MikroTik Routers:

services.service_name: MIKROTIK_BW and “HACKED”

Try it

Services on port 53 that are not DNS:

services: (port: 53 and not service_name: DNS) and services.truncated: false

Try it

Network devices with exposed login pages:

services: (labels:{network.device, login-page})

Try it

Command and Control infrastructure: 

Deimos C2:

services: (services.port: 8443 and (http.response.html_title="Deimos C2" or tls.certificates.leaf_data.subject.organization="Acme Co"))

Try it

Posh C2:

services.tls.certificate.parsed.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"

Try it

Incident Response: Queries for a Zero-Day

Censys Search is a valuable tool when responding to a zero-day vulnerability disclosure.

When a zero-day hits, the Censys Research team deploys rapid response articles that explain the scope and impact of the attack, and include the queries that users can run to determine if they’ve been affected.

For example, during this year’s MOVEit CVE, users could run this query on hosts to identify potentially vulnerable assets:

services.http.response.favicons.md5_hash=af8bf513860e22425eff056332282560

Try it

Additional examples of queries to find services affected by zero-days include:

  1. CVE-2023-20198 Cisco IOS-XE

    labels=`cisco-xe-webui`

    Try it

  2. CVE-2023-44487 HTTP/WHO?

    services.http.supports_http2: true

    Try it

  3. CVE-2023-30799 MikroTik RouterOS

    services.http.response.html_title: "RouterOS router configuration page"

    Try it

Meta/Facebook Pixel Trackers

Customers have also recently used Censys Search to determine the presence of Meta Pixel Javascript code, which tracks website user activity through cookies and sends information back to Meta, which is can pose a problem for sensitive data.

Censys customers used the following query to determine the presence of Meta Pixel code on their websites:

services.http.response.body:"fbq(‘track’, ‘PageView’);"

Try it

Advancing Your Search with Regex Queries

Censys Search users with a paid license can run Regular Expression (Regex) queries to unlock advanced search capabilities.

Read about Regex in Search.

Related articles

Comments

0 comments

Article is closed for comments.