Leveraging IDR log search/alerts to find cleartext passwords/files

Hi there. We are trying to amp up our proactive risk management and want to see if we could leverage IDR’s log search or alert system to identify if there are cleartext passwords in the environment or files that contain passwords. It’s a bit vague, which is why we are struggling a little to figure out a good way to set this up or search for it. If anyone has any suggestions, it would be incredibly helpful!

Hey @awillett ,

One thing you could leverage is the Endpoint Activity → Process Start Events

This log contains the Process start log events for your machines running the insight agent. Enhanced Endpoint Telemetry | InsightIDR Documentation

You can look for activities such as users opening text files with simple strings such as “password”

if you are aware of a known occurrence of a plaintext password being passed in a command or invocation of an exe, you could search for that specifically to understand what the log looks like, and then use a tailored search for something similar.

Hi,

There is already a card that does some of this. Se query below. If you want to identify the content of a file i think you must setup a FIM rule.

where(os_type=/windows/i AND process.name=/(excel|notepad|winword|wordpad)\.exe/i AND process.cmd_line=/.*(creds|credential|password).*\.(doc|txt|xls|csv).*/i NOT process.cmd_line ICONTAINS [credentialing]) groupby(process.username,hostname,process.cmd_line)