-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocesses_bad_opsec_credentials.sql
49 lines (49 loc) · 2.88 KB
/
processes_bad_opsec_credentials.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
-- processes_bad_opsec_credentials
-- looks for process events containing credentials, often exploited for lateral movement
-- v0.2 (c) 2023 tor houghton // th(at)bogus.net
-- released under the simplified 2-clause bsd licence
SELECT uid,cwd,datetime(start_time,"unixepoch"),cmdline FROM processes
WHERE
-- broad uri match
regex_match(cmdline,"\S+:\/\/\S+:\S+@",0) NOT NULL OR
-- curl has the possibility to leak so much data, this is not an exhaustive list
regex_match(cmdline,"curl\s+.*-u\s+\S+:\S+",0) NOT NULL OR
regex_match(cmdline,"curl\s+.*-d\s+\S+",0) NOT NULL OR
regex_match(cmdline,"curl\s+.*--data-raw\s+\S+",0) NOT NULL OR
regex_match(lower(cmdline),"curl\s+.*authorization:\s+bearer\s+\S+",0) NOT NULL OR
-- the rest
regex_match(cmdline,"sshpass.*\s+-p\s+\S+",0) NOT NULL OR
regex_match(cmdline,"lftp\s+.*-u\s+\S+,\S+",0) NOT NULL OR
regex_match(cmdline,"ncftp.*-p\s+\S+",0) NOT NULL OR
regex_match(cmdline,"s3cmd.*--(access|secret)_key=\S+",0) NOT NULL OR
regex_match(cmdline,"svn\s+.*--password\s+\S+",0) NOT NULL OR
regex_match(cmdline,"docker\s+login.*(--password|-p)\s+\S+",0) NOT NULL OR
regex_match(cmdline,"htpasswd\s+-cb\s+\S+\s+\S+\s+\S+",0) NOT NULL OR
regex_match(cmdline,"java\s+-jar\s+jenkins-cli\.jar\s+.*-auth",0) NOT NULL OR
regex_match(cmdline,"mosquitto_pub\s+.*-P\s+\S+",0) NOT NULL OR
regex_match(cmdline,"rabbitmqctl\s+(add_user|authenticate_user|change_password)\s+\S+\s+\S+",0) NOT NULL OR
regex_match(cmdline,"rabbitmqadmin\s+.*-p\s+\S+",0) NOT NULL OR
regex_match(cmdline,"couchbase-cli\s+.*-p\s+\S+",0) NOT NULL OR
regex_match(cmdline,"curator\s+.*--(password|http_auth)",0) NOT NULL OR
regex_match(cmdline,"zip\s+.*-P\s+\S+",0) NOT NULL OR
regex_match(cmdline,"rar\s+.*-hp\S+",0) NOT NULL OR
regex_match(cmdline,"7z\s+.*-p\S+",0) NOT NULL OR
regex_match(cmdline,"xfreerdp\s+.*\/p:\S+",0) NOT NULL OR
regex_match(cmdline,"rdesktop\s+.*-p\s+\S+",0) NOT NULL OR
regex_match(cmdline,"bcp\s+.*-P\S+",0) NOT NULL OR
regex_match(cmdline,"isql\s+.*-P\s+\S+",0) NOT NULL OR
regex_match(cmdline,"mongo\s+.*-p\S+",0) NOT NULL OR
regex_match(cmdline,"redis-cli\s+.*-a\s+\S+",0) NOT NULL OR
regex_match(cmdline,"ldapsearch\s+.*-w\s+\S+",0) NOT NULL OR
regex_match(cmdline,"sqlplus\s+.*\S+\/\S+@\/\/",0) NOT NULL OR
regex_match(cmdline,"psql\s+.*postgresql:\/\/.*&password=",0) NOT NULL OR
regex_match(cmdline,"psql\s+\[.*\s+password=.*\]",0) NOT NULL OR
regex_match(cmdline,"odbcinst\s+.*-P\s+\S+",0) NOT NULL OR
regex_match(cmdline,"winexe\s+.*-U\s+\S+:\S+",0) NOT NULL OR
regex_match(cmdline,"smbclient\s+.*(-U|--user)\s+\S+:\S+",0) NOT NULL OR
regex_match(cmdline,"smbclient\s+.*--password\s+\S+",0) NOT NULL OR
regex_match(cmdline,"samba-tool\s+.*(-U|--user)\s+\S+:\S+",0) NOT NULL OR
regex_match(cmdline,"samba-tool\s+.*--password\s+\S+",0) NOT NULL OR
regex_match(cmdline,"mssql-cli\s+.*-P\s+\S+",0) NOT NULL OR
regex_match(cmdline,"mysql.*\s+-p\S+",0) NOT NULL
ORDER BY datetime(start_time,"unixepoch") DESC;