Advanced Legacy Search Methods and Queries

After reviewing the Censys Search Language syntax, you can now delve into more complex investigations. Use the queries on this page as a foundation for building advanced strategies for use in Legacy Search.

Here are some related reads from the Research Team:

Threat Activity Queries

Query description	Legacy Search query	Run in Legacy Search
Open directories	`services.http.response.html_title: "Index of /"`	Try it
Cobalt Strike Beacons	`services.cobalt_strike: *`	Try it
Compromised MikroTik Routers	`services.service_name: MIKROTIK_BW and "HACKED"`	Try it
Services on port 53 that are not DNS	`services: (port: 53 and not service_name: DNS) and services.truncated: false`	Try it
Network devices with exposed login pages	`services: (labels:{network.device, login-page})`	Try it
Deimos C2	`services: (services.port: 8443 and (http.response.html_title="Deimos C2" or tls.certificates.leaf_data.subject.organization="Acme Co"))`	Try it
Posh C2	`services.tls.certificate.parsed.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"`	Try it

Incident Response: Queries for a Zero-Day

Query description	Legacy Search Query	Run query in Search Legacy
MOVEit CVE	`services.http.response.favicons.md5_hash=af8bf513860e22425eff056332282560`	Try it
CVE-2023-20198 Cisco IOS-XE	`labels='cisco-xe-webui'`	Try it
CVE-2023-44487 HTTP/WHO?	`services.http.supports_http2: true`	Try it
CVE-2023-30799 MikroTik RouterOS	`services.http.response.html_title: "RouterOS router configuration page"`	Try it

Meta/Facebook Pixel Trackers

Query description	Legacy Search Query	Run query in Search Legacy
Meta Pixel code	`services.http.response.body:"fbq('track', 'PageView')"`	Try it