The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Search for Password Files

Description: This query shows filenames in windows users subfolders that may contain passwords.

What The Data Shows: Attackers like to live off the land, by searching and educating end users on the issues regarding plaintext passwords the security posture in organizations will improve and make it more difficult to pivot, steal personal information, etc. 

SQL:

 

SELECT f.filename, f.path, u.username, h.sha256,
   datetime(f.atime,"unixepoch","localtime") AS atime,
   datetime(f.ctime,"unixepoch","localtime") AS ctime,
   datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM file as f
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE ((filename like "%passw%") OR (filename like "%pwd%")) and path like "\Users%%";

 

 

5 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur when you look at the logic for the filenames you are looking for these two will find the same filenames:

filename like "%password%"

filename like "%passw%"

Therefore, you would make you query more efficient by removing the one looking for "%password%).

Also, "C:" is not necessary for the path statements to work.

ksnihur
Contributor II

@jnelson, Thanks for noticing and pointing out, one of these days I'll submit 3 without you finding any issues, although these work without your tips I totally understand and the requested changes make sense. 

jnelson
Carbon Black Employee
Status changed to: Approved
 
dale_a_brown
New Contributor II

Does anyone know how to conduct the same search, but just look for specific file types such as .pdf, docx etc??

jnelson
Carbon Black Employee

@dale_a_brown Here you go:

SELECT f.filename, f.path, u.username, h.sha256,

  datetime(f.atime,"unixepoch","localtime") AS atime,
  datetime(f.ctime,"unixepoch","localtime") AS ctime,
  datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM file as f
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE (filename like "%passw%" OR filename like "%pwd%")
  and (filename like "%.pdf" OR filename like "%docx")
  and path like "\Users%%";