Query Details

Commandlines with cleartext passwords

Commandline With Clear Text Password

Query

DeviceProcessEvents
| where ProcessCommandLine has_all ("-password", "*")
| extend UserName = tostring(extract(@'user(?:name)?[=\s](\w+)', 1, ProcessCommandLine))
// Optionally only include results with UserName for less False Positives
//| where isnotempty(UserName)
| summarize TotalExecutions = count(), UniqueCommands = dcount(ProcessCommandLine), CommandLines = make_set(ProcessCommandLine, 1000), UniqueUsers = dcount(UserName), UserNames = make_set(UserName) by DeviceName
| sort by UniqueUsers, UniqueCommands, TotalExecutions

About this query

Explanation

This query is designed to identify instances where cleartext passwords are used in command lines on devices, which is a security risk. The query searches through device process events to find command lines that contain the term "-password" along with any other character, indicating a potential password entry. It extracts usernames from these command lines and provides a summary for each device, including:

  • TotalExecutions: The total number of times these command lines were executed.
  • UniqueCommands: The number of distinct command lines that were executed.
  • CommandLines: A set of up to 1000 unique command lines that were found.
  • UniqueUsers: The number of distinct users associated with these command lines.
  • UserNames: A set of usernames extracted from the command lines.

The results are sorted by the number of unique users, unique commands, and total executions to help identify which devices and users are most at risk. The query can be refined to reduce false positives by only including results where a username is present. This helps in identifying accounts that might be using insecure practices, allowing for corrective actions to be taken.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsUserNameCommandLineTotalExecutionsUniqueCommandsLinesUsersNames

Operators

DeviceProcessEventswherehas_allextendtostringextractsummarizecountdcountmake_setbysort

MITRE Techniques

Actions

GitHub