{
	"id": "04c856f6-9f65-4d49-a053-369e550f02fc",
	"created_at": "2026-04-06T00:13:44.714748Z",
	"updated_at": "2026-04-10T03:35:21.441754Z",
	"deleted_at": null,
	"sha1_hash": "87bb5a93a084b618ec57b020195a630c6b2c7d91",
	"title": "A Beginner's Guide to Hunting Malicious Open Directories - Censys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2425754,
	"plain_text": "A Beginner's Guide to Hunting Malicious Open Directories -\r\nCensys\r\nBy Ivonne Francia\r\nPublished: 2024-07-22 · Archived: 2026-04-05 16:16:29 UTC\r\nIntroduction\r\nThreat analysts investigating malicious infrastructure are likely to encounter “open directories” during their\r\ninvestigations. These directories, commonly referred to as “opendirs” are openly accessible servers where threat\r\nactors host malicious files related to their operations.\r\nAn open directory is a simple concept that many will be familiar with. Despite this, there is little public\r\ndocumentation regarding their discovery and how to identify and track new open directory infrastructure.\r\nThis blog will cover the basics of an open directory, how you can discover them during hunting, and how to\r\nfurther your investigations into open directory infrastructure.\r\nWhat Is An Open Directory?\r\nAn open directory is simply a server where a directory has been left “open” and is publicly accessible by browsing\r\nto the IP or domain of the site.\r\nFrom the threat actors’ perspective, this directory enables malicious files to be easily accessible and delivered\r\nwhen and where they are needed. This is often second stage files for malware, or tooling used in hands-on\r\noperations.\r\nThere are legitimate use cases as well, where a legitimate service needs to make a file publicly and easily\r\naccessible, but for today, we will focus on malicious use cases and how to separate them from genuine examples.\r\nBelow (shared by RussianPanda9XX on X/Twitter) is one malicious example where an open directory is hosting\r\nmalicious files. This example shows an Apache-based open directory when viewed directly in a browser.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 1 of 25\n\nAnother example is an open directory used by ValleyRat and reported by Zscaler.\r\nThe open directory is utilising the HFS (HTTP File Server) software.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 2 of 25\n\nThe appearance differs between software, but the functionality remains the same. Here is another example of\r\nslight differences between Apache and Python. These differences are covered in more detail in the “Dorking The\r\nInternet” Report by Censys.\r\nSo How Can You Find an Open Directory?\r\nOpen directories can be discovered in the community edition of Censys by searching for the open-dir label.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 3 of 25\n\nCensys automatically scans the internet for open directories and applies the open-dir label, regardless of the\r\nsoftware used. This means that Apache, Python, HFS and others will all be included and do not need to be\r\nsearched individually.\r\nThis label will include all open directories, including both malicious and legitimate results. The label alone can\r\nreturn hundreds of thousands of results.\r\nWe see this below with a plain search for labels:open-dir, which returns 450,153 current open directories.\r\nAs shown, the search for labels:open-dir will return all results regardless of whether they are malicious or\r\nlegitimate.\r\nThe remainder of this blog will demonstrate how to combine this query with additional parameters to identify only\r\nmalicious results.\r\nSection 1: Static File Names For Open Directory Hunting\r\nThe most simplistic method to identify malicious directories is to leverage file names from previous incidents.\r\nLet’s consider 81.71.147[.]158, which was shared by @morimolymoly2 on Twitter/X. This IP contains an open\r\ndirectory with a large number of suspicious files.\r\nIf we search for the IP on Censys, we will end up at the host page where the following information is available on\r\nport 80.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 4 of 25\n\nThe open directory on 81.71.147[.]158 contains multiple files that are unique enough to be used as pivot points.\r\nWhich are values that are unique enough to be used in a query.\r\nThere are two primary patterns which stand out.\r\nA.dll, a.exe, a.hta, a.jpg – Suspicious files with short and single character file names.\r\nYaml-payload.jar – Suspicious file containing “payload” in the file name. Likely related to a Java\r\nDeserialization exploit.\r\nWe can combine these file names with the labels:open-dir query to identify open directory infrastructure hosting\r\nfiles with the same names.\r\nPivoting on Static File Names\r\nFile names like a.exe can be combined with the labels:open-dir parameter to identify open directories hosting\r\nfiles with the same name (although not necessarily the same file contents). Censys stores open directory content in\r\nthe services.http.response.body field, so this is where we can place a file name in combination with labels:open-dir\r\nHence, we can search for open directories containing a.exe by searching for labels:open-dir and\r\nservices.http.response.body:a.exe. This simple search returns 9 similar servers.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 5 of 25\n\nAs shown above, the search reveals 9 open directories containing a.exe.\r\nThe first result from the search is 159.223.130[.]216. Browsing to the associated host page shows an open\r\ndirectory hosting a.exe, as well as other files with similar single-character naming schemes. In addition to a.exe,\r\nwe now have b.exe, c.exe and curl.exe.\r\nCurl is a “legitimate” tool used to download files, so curl.exe is unlikely to be malware, but instead a supporting\r\ntool used to “install” curl during operations where the curl tool was not present.\r\nTo confirm the nature of these files, we can download them (using a sandbox or separate analysis machine) by\r\nbrowsing to the site directly and then performing manual analysis or submitting them to a sandbox. This is not\r\nalways recommend for opsec reasons, but this is a topic for another discussion.\r\nIn cases where the infrastructure is not sensitive, the files can be scanned by inputting the URL directly into\r\nVirusTotal. In this case, we can input \u003cIP\u003e/b.exe and see that it has 34 detections and contains a Sliver C2\r\nImplant.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 6 of 25\n\nNote that this kind of scanning will often alert the actor that their servers are being investigated. You should take\r\nthis into consideration when investigating infrastructure.\r\nThe b.exe file has 34 detections, but the open directory hosting it has 0.\r\nThis means that we’ve likely found some “new” infrastructure, using only a simple file name for our analysis.\r\nWe can continue investigating the search results for more instances of a.exe.\r\nAnother result from our prior search is 121.43.135[.]166, which contains a.exe and numerous other suspicious\r\nfiles.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 7 of 25\n\nThe same patterns of file naming can be seen across other servers returned by the search, which all contain a.exe\r\nin combination with other suspicious files.\r\nPivoting on An Exploit File Name\r\nThe initial IP contained another suspicious file named yaml-payload.jar. Googling this file suggests that it is\r\nrelated to a Yaml Deserialization exploit.\r\nRepeating the process from before, we can identify similar servers by searching for labels:open-dir and\r\nservices.http.response.body:”yaml-payload.jar”\r\nThe simple search returns 8 open directories hosting files with the same name.\r\nOne of the results contains yaml-payload.jar and a reference to artifact_x86.exe, which is a common file name\r\nfor Cobalt Strike.\r\nThis means that our simple pivot on yaml-payload.jar has likely led to the server of an actor leveraging Cobalt\r\nStrike.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 8 of 25\n\nThe artifact_x86.exe name is unique enough to be utilised as another pivot point. An analyst could perform\r\nadditional pivoting on the artifact_x86.exe name.\r\nThis would be as simple as repeating the previous searches with different filenames in the\r\nservices.http.response.body field.\r\nSummary – Static File Names For Open Directory Hunting\r\nStatic file names serve as a simple and highly effective means to discover new malicious open directories.\r\nBy using public reporting (Social Media, Intel Repos, Internal Incidents), you can easily identify simple file\r\nnames that can lead to new infrastructure.\r\nTo achieve all of this, simply search for labels:open-dir and then add your suspicious file name into the\r\nservices.http.response.body field.\r\nSection 2: Autonomous Systems and Hosting Providers\r\nOpen directory hunting can be heavily assisted by combining hosting providers with the labels:open-dir query.\r\nThis can be especially effective when an actor uses a unique or uncommon hosting provider.\r\nConsider the IP 77.105.160.30 (initially shared by @karol_paciorek). This server has an open directory and is\r\nhosted on EVILEMPIRE with an Autonomous System Number of 216309.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 9 of 25\n\nSince this is an uncommon provider, we can discover more open directories by combining the associated ASN\r\nnumber with labels:open-dir.\r\nThe usage of EVILEMPIRE is unique enough that there are only 8 open directories hosted there.\r\nOne of those results is 77.105.132[.]27, which matches our search criteria and has already been marked as a\r\nknown C2.\r\nBy browsing to the host page and looking at the directory contents, it appears to be hosting both Vidar and Lumma\r\nmalware.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 10 of 25\n\nSummary – Autonomous Systems and Hosting Providers\r\nCombining open directory hunts with unusual hosting providers can quickly lead to new results.\r\nThis works best when the provider is uncommon or well known for hosting malicious actors. So be careful when\r\napplying this technique to a large provider such as Amazon or CloudFlare. Large providers such as these can be\r\nassociated with tens of thousands of results, which can be difficult to parse and extremely prone to false positives\r\nwithout additional filtering.\r\nConsider that CloudFlare was linked to 38,614 open directories in 2023 alone. With Amazon being linked to a\r\nconsiderable 21,805. More statistics are covered in detail in “Dorking The Internet”.\r\nSection 3: File Name Patterns and Regular Expressions\r\nIn the first section, we used static file names to pivot to additional open directories. However there is a much\r\nbetter way to do this with the addition of regular expressions.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 11 of 25\n\nConsider the search for “files named a.exe” vs. the search for “ANY single character .exe.” The second option is\r\nmore generic (in a good way) and allows for more effective searching.\r\nWe can abstract the a.exe file name using regular expressions to instead search for any single-character\r\nexecutable. For more effective searching, we can even expand this to any single-character filename with the\r\nextensions exe, hta or rtf.\r\nConsider the following file names from one of our previous searches.\r\nThe open directory contains 9 files with only a single character before the extension (a.dll, 1.rtf, a.hta etc).\r\nRather than searching for these names individually, let’s create a regular expression that searches for single-character file names with any of the exe, rtf or hta extensions.\r\nWe can create a simple prototype using CyberChef, and then add it to the services.http.response.body field.\r\nNote that we’ll now need to utilise the raw HTML content and not the HTML rendering from previous screenshots,\r\nso we’ll be adding .*” to both sides of our regular expressions. This accounts for the HTML syntax (shown below)\r\nand specifies that we only want files named a.exe, not those containing a.exe. \r\nBelow we can see the quotes “ before and after file names, which we should account for in our regular expression.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 12 of 25\n\nTaking the raw HTML into account, we can search for single-character filenames with the following query.\r\nlabels:open-dir and services.http.response.body:/.*”w.(exe|hta|rtf)”.*/\r\nFor those unfamiliar with regular expressions, here is a visualization courtesy of regexper.com\r\nExecuting this new search returns 57 results for open directories with single character file names.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 13 of 25\n\nOne of these results is 20.98.129[.]89, which contains a single character e.hta file (matching our regular\r\nexpression) as well as a very suspicious payload.exe.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 14 of 25\n\nAnother search result is 1.92.96[.]35, where our regular expression has matched on single-character file names\r\nlike f.exe, m.exe, m.hta, p.hta.\r\nIn addition to the matching names, we now have an open directory referencing cs4.9, which is likely a reference to\r\nCobalt Strike Version 4.9. The cs4.9 string would be great to use for additional pivots.\r\nAnother search result is 38.206.173[.]58, which appears to be hosting ransomware due to the presence of\r\nunlocker.exe and READ_TO_DECRYPT.html.\r\nThere are numerous opportunities here for files that could be used to pivot to additional servers.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 15 of 25\n\nSummary – File Name Patterns and Regular Expressions\r\nFile Name Patterns in the form of regular expressions can be far more effective than static name searching. If you\r\nnotice multiple file names with different but “similar” values, try using a regular expression to group them\r\ntogether.\r\nAdvanced queries utilising regular expressions will often lead to additional malicious servers.\r\nSection 4: Combining File Extensions\r\nFile extensions can be another simple and effective way to identify suspicious open directories.\r\nFor example, the combination of an .exe and .hta file in the same open directory is rare and unlikely to occur in a\r\nlegitimate directory. So we can use this idea to identify malicious servers. The same concept can be applied to a\r\n.hta and .ps1 sharing the same directory.\r\nConsider one of our previous results, which contains a mixture of .hta, .png, .exe, .msi and .txt. We can use this\r\ncombination (or a subset) to identify additional infrastructure.\r\nWe can build an query that searches for all open directories containing both a .hta and .exe extension.\r\nlabels:open-dir and same_service(services.http.response.body:*.hta* and\r\nservices.http.response.body:*.exe*) and not services.http.response.body:*htaccess*\r\nA few quick notes on that query:\r\nSame_service – This tells the search only to include results where the files were observed on the same port.\r\nWe don’t want a server with .hta on port 443 and .exe separately on port 80.\r\nNot .htaccess – This is a legitimate file which matches on our wildcard search for .hta, we want to exclude\r\nthis from our results without resorting to regular expressions.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 16 of 25\n\nRunning that query returns 9 results, one of these is an open directory on 20.163.176[.]155.\r\nThis directory matches our search for both a .hta and .exe file on the same service.\r\nThis open directory on 20.163.176[.]155 contains multiple “update” files that are marked as downloaders by\r\nVirusTotal. So we’ve encountered another server containing malicious files.\r\nThe open directory also contains a new pattern of ps1 and exe files, so we can adjust our query to search for this\r\nand identify further suspicious results.\r\nThis query will search for open directories containing both a powershell script and executable file.\r\nlabels:open-dir and same_service(services.http.response.body:*.ps1* and\r\nservices.http.response.body:*.exe*)\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 17 of 25\n\nThe search returns 84 results for open directories containing powershell scripts and executables.\r\nOne of these results is 96.255.173[.]42, which contains both .exe and ps1, as well as a collection of other\r\nsuspicious files likely related to the PowerSploit Toolkit.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 18 of 25\n\nBonus Pivot On Filename Patterns\r\nThe previously shown directory contains multiple files with “power” in the file name, followed by a ps1 or py\r\nextension.\r\nUsing regular expressions, we can turn this into a generic query for any open directory containing .py or ps1 and a\r\nfile name beginning with power.\r\nWe can first prototype a regular expression using CyberChef.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 19 of 25\n\nWith the regular expression working, we can search for .ps1 or .py files whose file name contains power.\r\nThe search returns 7 results, one of which is 95.111.214[.]111.\r\nWe can see that this directory contains even more files related to offensive Powershell toolkits.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 20 of 25\n\nAnother result is 116.114.20[.]180, which contains powercat.ps1, amongst other suspicious file names.\r\nThe Powercat file is likely a reference to the Powershell implementation of Netcat.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 21 of 25\n\nSummary: Combining File Extensions\r\nFile extensions can be as useful and simple as file names when searching for open directories.\r\nIf an investigation shows an open directory with an unusual combination of file types, try utilising that in your\r\nquery. You’d be surprised how simple this is, yet how often it can lead to new malicious results.\r\nConclusion\r\nWe’ve now shown 4 useful techniques for identifying and hunting malicious open directories. These techniques\r\nare extremely effective for finding and hunting open directory infrastructure used by Threat Actors.\r\nAlthough this is not an exhaustive list, these techniques, both on their own and in combination are amazing\r\nmethods to have in your investigation toolkit.\r\nWith the exception of regular expressions, all of these techniques are available to try out in the Community edition\r\nof Censys.\r\nAnd for those who love statistics and deep dives, check out the Dorking The Internet report by Censys. This\r\nenormous 31 page report takes a look at all the nitty gritty of open directory exposure, including both how and\r\nwhere they are being found in both malicious and legitimate scenarios.\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 22 of 25\n\nBonus Related Queries \r\nFor Community Users\r\nANY open directory (Link)\r\nlabels:open-dir\r\nOpen directories containing a.exe files (Link)\r\nlabels:open-dir and services.http.response.body:a.exe\r\nOpen directories containing “Payload.exe”\r\nlabels:open-dir and services.http.response.body:payload.exe\r\nOpen directories referencing CS4.9 (Link)\r\nlabels:open-dir and services.http.response.body:cs4.9\r\nFor Users With Regular Expression Access\r\nOpen directories containing “Power” files with ps1 or py extension\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 23 of 25\n\nlabels:open-dir and services.http.response.body:/.*power[a-z]+.(ps1|py).*/\r\nOpen directories containing single character RTF,  HTA or PS1 files\r\nlabels:open-dir and services.http.response.body:/.*Ww.(hta|rtf|ps1)W.*/\r\nOpen directories referencing any version of Cobalt Strike in format csX.X (Link)\r\nlabels:open-dir and services.http.response.body:/.*W(cs|cobalt)[34].d(.exe)?.*/\r\nOpen directories with short numeric names for PNG files\r\nlabels:open-dir and services.http.response.body:/.*”[0-9]{1,5}.pngW.*/\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 24 of 25\n\nVisit Embee Research\r\nGo to Censys Search\r\nMatthew\r\nEmbee Research\r\nMatthew (aka @embee_research) is a security researcher based out of Melbourne, Australia. Matthew has a\r\npassion for all things malware, burritos and creating educational cyber content.\r\nSource: https://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nhttps://censys.com/a-beginners-guide-to-hunting-open-directories/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://censys.com/a-beginners-guide-to-hunting-open-directories/"
	],
	"report_names": [
		"a-beginners-guide-to-hunting-open-directories"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87bb5a93a084b618ec57b020195a630c6b2c7d91.pdf",
		"text": "https://archive.orkl.eu/87bb5a93a084b618ec57b020195a630c6b2c7d91.txt",
		"img": "https://archive.orkl.eu/87bb5a93a084b618ec57b020195a630c6b2c7d91.jpg"
	}
}