Commandlines with cleartext passwords
Commandline With Clear Text Password
Query
DeviceProcessEvents
| where ProcessCommandLine has_all ("-password", "*")
| extend UserName = tostring(extract(@'user(?:name)?[=\s](\w+)', 1, ProcessCommandLine))
// Optionally only include results with UserName for less False Positives
//| where isnotempty(UserName)
| summarize TotalExecutions = count(), UniqueCommands = dcount(ProcessCommandLine), CommandLines = make_set(ProcessCommandLine, 1000), UniqueUsers = dcount(UserName), UserNames = make_set(UserName) by DeviceName
| sort by UniqueUsers, UniqueCommands, TotalExecutionsAbout this query
Explanation
This query is designed to identify instances where cleartext passwords are used in command lines on devices, which is a security risk. The query searches through device process events to find command lines that contain the term "-password" along with any other character, indicating a potential password entry. It extracts usernames from these command lines and provides a summary for each device, including:
- TotalExecutions: The total number of times these command lines were executed.
- UniqueCommands: The number of distinct command lines that were executed.
- CommandLines: A set of up to 1000 unique command lines that were found.
- UniqueUsers: The number of distinct users associated with these command lines.
- UserNames: A set of usernames extracted from the command lines.
The results are sorted by the number of unique users, unique commands, and total executions to help identify which devices and users are most at risk. The query can be refined to reduce false positives by only including results where a username is present. This helps in identifying accounts that might be using insecure practices, allowing for corrective actions to be taken.
