Some of my own OSquery/FleetDM queries that might be of use to others. They could surely benefit from being tweaked / added to. Pull requests welcome. There may be a case for just looking for "://\S+:\S+@" instead of process-specific regular expressions (such as curl, wget, ftp, etc.).
Searches the eBPF process events table for credential leaks. Depending on how "busy" the endpoint is, there is a good chance of catching short-lived and history processes. Requires eBPF support in the kernel (Linux-only) as well as --enable_bpf_events=true in OSquery's flag file.
Searches the crontab table for credential leaks.
Searches the running process list for credential leaks. This will not find historic processes, and unlikely to find short-lived ones (cron/at jobs, ad-hoc things from the command line).
Searches the shell history for credential leaks. Also looks for some environment variables that may contain credentials.
Tor Houghton
Released under a Simplified BSD 2-Clause license.