Built off the open source project Osquery
Description: This query shows filenames in windows users subfolders that contains private key files (.pfx, .p12), and password manager database files (Keepass - .kdb and .kdbx, Bitser Password File -.bpw, Password Safe - .plk). The issue is some password managers can be bruteforced and private keys passwords are weak.
What The Data Shows: The data shows what password managers are installed as well as private keys. It is important to ensure that private keys and password managers have strong passwords.
SQL:
SELECT f.filename, f.path, u.username, h.sha256,
datetime(f.atime,"unixepoch","localtime") AS atime,
datetime(f.ctime,"unixepoch","localtime") AS ctime,
datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM file as f JOIN users AS u USING(uid) JOIN hash AS h USING(path)
WHERE ((filename like "%.plk%") OR (filename like "%.kdb") OR (filename like "%.kdbx%") OR (filename like "%.p12") OR (filename like "%.pfx") OR (filename like "%.bpw")) and path like "\Users%%";
> Requirement: Please test all submissions using Live Query or Osquery before posting.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.