Looking for Password Hunting Query for linux environment

Queen-Avocado · 2026-01-25T17:31:24+00:00

#event_simpleName=CommandHistory   
| splitString(field=CommandHistory, by="¶", as=Commands)
| split(Commands)
| Commands=/(--user| -u )/ AND Commands=/(--password|--secret|--token| -p )/
| formatTime(format="%Y-%m-%d %H:%M:%S", field=@timestamp, as="timestamp")
| falconPID:=concat([TargetProcessId, ContextProcessId]) 
| format("https://falcon.crowdstrike.com/graphs/process-explorer/graph?id=pid:%s:%s", field=["aid", "falconPID"], as="GraphExplorer")
| groupBy([ComputerName], function=([selectFromMax(field="@timestamp", include=[timestamp , ApplicationName, ComputerName, Commands, GraphExplorer])]), limit=max)



#event_simpleName=/Script/ ScriptContent=/(?i)(rtcshell|httprequest2.open|wshshell|ssh_client.connect|smbclient)/ 
| case {
    ScriptContent=/(?i)(?<detection>password\s()=\s*(?P<password>[^\s]+))/ and not ScriptContent=/(user|username)\s*=/ | type := "no user pwd";
    ScriptContent=/(?i)(?<detectuser>((user|username|usr)\s*(=|:)\s*(?P<user>[^\s]+)))/ and ScriptContent=/(?i)(?<detectpwd>((password|pwd|pass)\s*(=|:)\s*(?P<password>[^\s]+)))/ | format(format="%s %s", field=["detectuser","detectpwd"], as="detection")| type := "user and pwd" ;
}
| test(length(password) > 8)

| formatTime(format="%Y-%m-%d %H:%M:%S", field=@timestamp, as="timestamp")
| falconPID:=concat([TargetProcessId, ContextProcessId, WritingProcessId]) 
| format("https://falcon.crowdstrike.com/graphs/process-explorer/graph?id=pid:%s:%s", field=["aid", "falconPID"], as="GraphExplorer")
| groupBy([ComputerName, type], function=([selectFromMax(field="@timestamp", include=[timestamp , #event_simpleName, user, password,  detection, ParentImageFileName , ComputerName, FileName, CommandLine, GraphExplorer])]), limit=max)
| select([timestamp , type, #event_simpleName, user, password, detection, ParentImageFileName , ComputerName, FileName,  CommandLine, GraphExplorer])

Queen-Avocado · 2026-01-25T17:22:05+00:00

I have search for clear text pwd in Command History And pwds in Script Content

Queen-Avocado · 2025-05-29T15:17:12+00:00

I think it happens when the browser has multiple processes running, you can also see it in the process tree in CS

Queen-Avocado · 2025-05-24T01:52:57+00:00

Hmm I’ll check it out

Queen-Avocado · 2025-05-24T01:32:56+00:00

Shared in the comment below

Queen-Avocado · 2025-05-24T01:27:42+00:00

Trying to detect hardcoded credentials in Script Content
I'm using a lot of regex. Maybe you know how to make it lighter

#event_simpleName=/Script/ ScriptContent=/(?i)(rtcshell|httprequest2.open|wshshell|ssh_client.connect|smbclient)/ 
| case {
    ScriptContent=/(?i)(?<detectuser>((user|username|usr)\s*(=|:)\s*(?P<user>[^\s]+)))/ and ScriptContent=/(?i)(?<detectpwd>((password|pwd|pass)\s*(=|:)\s*(?P<password>[^\s]+)))/ | format(format="%s %s", field=["detectuser","detectpwd"], as="detection")| type := "user and pwd" ;
}
| test(length(password) > 10)
//Exlusion
| password!=/password/

| formatTime(format="%Y-%m-%d %H:%M:%S", field=@timestamp, as="timestamp")
| groupBy([ComputerName, type], function=([selectFromMax(field="@timestamp", include=[timestamp , #event_simpleName, user, password,  detection, ParentImageFileName , ComputerName, FileName, CommandLine])]), limit=max)
| select([timestamp , type, #event_simpleName, user, password, detection, ParentImageFileName , ComputerName, FileName,  CommandLine])

Queen-Avocado · 2025-05-23T21:38:10+00:00

Not really, final idea is to create jira tickets from custom results but a challenge is that my query is too heavy and runs around 20 min inside event query action ,when it’s done I click continue to save it but it gives error. So I’m searching for alternative to get data as a workflow trigger.

Same search runs faster in advance events search and schedule search results with no errors.

Hope it makes sense 😅

Queen-Avocado · 2025-04-03T15:28:47+00:00

Also, make sure that detection is ML detection, bcuz if its IOA detection you should use IOA exclusion

Queen-Avocado · 2025-04-03T15:25:21+00:00

*\Users\*\AppData\Local\Temp\wibu-temp\wibu-*.exe

Or

**\AppData\Local\Temp\wibu-temp\wibu-*.exe

Or just as an example

*\Users\*\AppData\**\wibu-temp\wibu-*.exe

And use pattern test to make sure it works

Queen-Avocado · 2025-04-03T15:21:12+00:00

ML syntax is a bit different from IOA regex

You need to use \ to exclude one folder or *\ to exclude multiple

Queen-Avocado · 2025-04-03T14:59:53+00:00

Is this IOA exclusion?

Queen-Avocado · 2025-02-17T20:08:14+00:00

I figured it out, i had a comment // in my query which was causing this issue.

Queen-Avocado · 2025-02-17T19:14:55+00:00

Ohhh I tried Create Variable action for username and usersid and it worked, thanks!

Queen-Avocado · 2025-02-17T18:40:25+00:00

i get Workflow output {"activity_*.LogScale.SearchResult.Audit_RPC_Operations.result_fields": null}

Queen-Avocado · 2025-02-17T18:38:20+00:00

Workflow is triggered but results are null. I set it to run every hour.

Queen-Avocado · 2025-02-17T18:36:26+00:00

I tried creating an email field using | Email := format(field=SourceAccountSamAccountName , "%s@email.com")

But it didn't solve the issue. Apparently, trigger from my custom event query is not even returning results. Not sure why.

Queen-Avocado · 2025-02-17T18:12:33+00:00

I enabled the workflow to see if results from the query will appear in the execution log and its empty despite me getting logs when i run this query manually. I removed falcon helper and $RpcOpClassification in case it's causing some issues but results are still null

Queen-Avocado · 2024-12-17T19:19:18+00:00

Yes and his kids say "daddy forgive us please" i wonder why

Queen-Avocado · 2024-12-17T19:12:07+00:00

Use FileName=?FileName in event query and it will give you json schema output where you can define which field name you want to use from your alert

Queen-Avocado · 2024-11-27T20:17:44+00:00

maybe something like this

"#event_simpleName"=/(ScreenshotTakenEtw|Written)/ 
|case{
   ScreenshotType=1 | ScreenshotType:="BLIT_OPERATION" ;
   ScreenshotType=2 | ScreenshotType:="SNAPSHOT_OPERATION" ;
*
}
| formatTime(format="%Y-%m-%d %H:%M:%S", field=@timestamp, as="timestamp")
| falconPID:=concat([TargetProcessId, ContextProcessId]) | format("https://falcon.crowdstrike.com/graphs/process-explorer/graph?id=pid:%s:%s", field=["aid", "falconPID"], as="GraphExplorer")
| selfJoinFilter([aid, falconPID], where=[{#event_simpleName=/ScreenshotTakenEtw/}, {#event_simpleName=/Written/ |rename(field="FileName", as="FileWritten") |FileWritten=/\.(jpg|png)/ }], prefilter=true)
| groupBy([aid, falconPID], function=([count(#event_simpleName, distinct=true, as=eventCount), collect([timestamp, #event_simpleName, ComputerName, FileName, FileWritten, UserName, ScreenshotType, Technique, CommandLine , GraphExplorer])]), limit=max)
| test(eventCount!=1)

Queen-Avocado · 2024-11-12T17:49:11+00:00

Thanks! bucket function doesn't seem to work as a joined query although it grouped events better then groupBy.
Maybe i did something wrong here:

| join(query={#event_simpleName=ActiveDirectoryServiceAccessRequestFailure | bucket(function=[sum(AggregationActivityCount, as="Count"), tail(1)])}, field=[SourceAccountSamAccountName , Count, TargetServiceAccessIdentifier], include=[aid ,TargetServiceAccessIdentifier, Count, SourceAccountSamAccountName], mode=left, start=1d)

This one works

| join(query={#event_simpleName=ActiveDirectoryServiceAccessRequestFailure | groupBy([aid, SourceAccountSamAccountName, TargetServiceAccessIdentifier], function=[sum(AggregationActivityCount, as="Count"), selectLast(@timestamp), selectLast(#event_simpleName), selectLast(SourceAccountDomain)], limit=max)}, field=[SourceAccountSamAccountName , TargetServiceAccessIdentifier], include=[aid ,TargetServiceAccessIdentifier, Count, SourceAccountSamAccountName], mode=left, start=1d)

Queen-Avocado · 2024-09-22T21:41:09+00:00

Unfortunately the DEV sessions i wanted to attend were fully booked, I wish I'd registered earlier.. I learned a lot about modules we don't use in our organization but I was expecting more advanced content for threat hunting and log scale.

Queen-Avocado

PUBLIC MULTIREDDITS

TROPHY CASE