Commandline With Clear Text Password

# Commandlines with cleartext passwords ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1552 | Unsecured Credentials | https://attack.mitre.org/techniques/T1552/ | #### Description Adversaries may search compromised systems to find and obtain insecurely stored credentials. It is best practice to not have unsecured credentials in use, therefore this query can help you to list accounts that use passwords on the commandline. Commandlines are often logged for various reasons, thus also accessible for adversaries. This query can guide you to which user use cleartext passwords on the commandline by providing the TotalExecutions, UniqueCommands, Commandlines, UniqueUsers and Usernames for each device. To limit false positives a filter can be used to only filter if both a username and a cleartext password is found. #### Risk Cleartext passwords can be logged and used by attackers to gain access to accounts. #### References - https://kqlquery.com/ - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules - example link 3 ## Defender For Endpoint ```KQL DeviceProcessEvents | where ProcessCommandLine has_all ("-password", "*") | extend UserName = tostring(extract(@'user(?:name)?[=\s](\w+)', 1, ProcessCommandLine)) // Optionally only include results with UserName for less False Positives //| where isnotempty(UserName) | summarize TotalExecutions = count(), UniqueCommands = dcount(ProcessCommandLine), CommandLines = make_set(ProcessCommandLine, 1000), UniqueUsers = dcount(UserName), UserNames = make_set(UserName) by DeviceName | sort by UniqueUsers, UniqueCommands, TotalExecutions ``` ## Sentinel ```KQL DeviceProcessEvents | where ProcessCommandLine has_all ("-password", "*") | extend UserName = tostring(extract(@'user(?:name)?[=\s](\w+)', 1, ProcessCommandLine)) // Optionally only include results with UserName for less False Positives //| where isnotempty(UserName) | summarize TotalExecutions = count(), UniqueCommands = dcount(ProcessCommandLine), CommandLines = make_set(ProcessCommandLine, 1000), UniqueUsers = dcount(UserName), UserNames = make_set(UserName) by DeviceName | sort by UniqueUsers, UniqueCommands, TotalExecutions ```

Explanation

This query helps identify accounts that use passwords on the command line. It searches for command lines that contain the term "-password" and extracts the username from the command line. The query then provides information such as the total number of executions, unique commands, command lines, unique users, and usernames for each device. The results can be sorted by the number of unique users, unique commands, and total executions. The purpose of this query is to identify cleartext passwords that may be logged and used by attackers to gain unauthorized access to accounts.

Details

Bert-Jan Pals

Released: January 2, 2024

Tables

DeviceProcessEvents

Keywords

Keywords:DeviceProcessEvents,ProcessCommandLine,UserName,TotalExecutions,UniqueCommands,CommandLines,UniqueUsers,UserNames,DeviceName,sort,where,has_all,extend,tostring,extract,count,dcount,make_set,isnotempty,summarize.

Operators

wherehas_allextendtostringextractisnotemptysummarizecountdcountmake_setbysort

KQL Search