- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-15-2021 08:19 AM
Hello community!
Do you know whether it´s possible in Cortext XDR Pro to build a query to Search For Password Files ?
Many thanks!
06-16-2021 03:50 AM - edited 06-16-2021 03:55 AM
HI Carracido,
The answer will be two parts since i am not sure which one you meant:
1. In XDR Pro you can use XQL to build queries, My advice will be to either use a specific name if there is one or search for files from a specific extension.
2. Since XDR does not look into files, there is no way to know if the file is password protected.
I hope this helps.
06-23-2021 06:38 AM
simply searching for the word "password" in the file name has really worked well for us and it is also what most of our pentest engagements use.
06-23-2021 09:55 AM
@PeteJacobCF, if the word password is not in the name, XDR/XQL will not be able to tell you that a file is not password protected.
06-24-2021 09:30 AM
yes exactly. I was simply saying that we have had some good success finding our users "password" files... meaning txt or .doc files users use to store passwords and usernames in. I was not saying this would find password protected files...
07-18-2021 08:50 PM
This one will find password on command line argument, you will be surprised if you find a clear text password on this query
dataset = xdr_data
| filter actor_process_command_line = "*pass*"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!