Query to Search For Password Files in Cortex XDR Pro

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Query to Search For Password Files in Cortex XDR Pro

L3 Networker

Hello community!

 

Do you know whether it´s possible in Cortext XDR Pro to build a query to Search For Password Files ?

 

Many thanks!

5 REPLIES 5

L1 Bithead

HI Carracido, 

 

The answer will be two parts since i am not sure which one you meant:

1. In XDR Pro you can use XQL to build queries, My advice will be to either use a specific name if there is one or search for files from a specific extension.

2. Since XDR does not look into files, there is no way to know if the file is password protected.

 

I hope this helps.

 

L3 Networker

simply searching for the word "password" in the file name has really worked well for us and it is also what most of our pentest engagements use.

@PeteJacobCF, if the word password is not in the name, XDR/XQL will not be able to tell you that a file is not password protected.

yes exactly. I was simply saying that we have had some good success finding our users "password" files... meaning txt or .doc files users use to store passwords and usernames in. I was not saying this would find password protected files... 

L1 Bithead

This one will find password on command line argument, you will be surprised if you find a clear text password on this query

 

dataset = xdr_data
| filter actor_process_command_line = "*pass*"

  • 4596 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!