Additional cred extractors for snaffler output

neonbunny · neonbunny · commit 4f1361f10b7e · 2024-11-16T17:55:47.000Z
diff --git a/event_tracker/cred_extractor/snaffler_extractor.py b/event_tracker/cred_extractor/snaffler_extractor.py
@@ -7,6 +7,8 @@
 net_user_add_command = re.compile(r'net user (/add )?((?P<system>\S+)\\)?(?P<account>\S+) (?P<secret>\S+)$', re.IGNORECASE + re.MULTILINE)
 net_use_command = re.compile(r'net use (?:\S+ )?(?P<purpose>\\\S+)(?=.*/user)(?: /user:((?P<system>\S+)\\)?(?P<account>\S+)| (?P<secret>[^/]\S+)| /\S+){2,}?', re.IGNORECASE + re.MULTILINE)
 dotnet_connection_string = re.compile(r'\"(;?\s*User ID=(?P<account>[^;\"]+)|;?\s*Password=(?P<secret>[^;\"]+)|;?\s*(Data Source|Server)=(?P<system>[^;\"]+)|;?[^\";]+)+', re.IGNORECASE)
+db_connection_string = re.compile(r'(?=.*Password=)(;?\s*User ID=(?P<account>[^;<>\"]+)|;?\s*Password=(?P<secret>[^;<>\"]+)|;?\s*(Data Source|Server)=(?P<system>[^;<>\"]+)|;?[^;<>\"]+)+', re.IGNORECASE)  # Similar to above, but embedded in XML, so switch quotes to angle brackets
+websense_client_password = re.compile(r'WDEUtil[^\n]+-password +(?P<secret>\S+)', re.IGNORECASE)
 
 class SnafflerExtractor(CredentialExtractor):
     def extract(self, input_text: str, default_system: str) -> [Credential]:
@@ -44,6 +46,26 @@ def extract(self, input_text: str, default_system: str) -> [Credential]:
                                                source_time=match['ainfo'].split('|')[-1],
                                                purpose='DB Credentials'))
 
+            if match["ainfo"].startswith("KeepDbConnStringPw|"):
+                content = self.unescape_content(match)
+                for innermatch in db_connection_string.finditer(content):
+                    if innermatch.group("secret"):
+                        innermatch_dict = remove_quotes(innermatch.groupdict())
+                        result.append(Credential(**innermatch_dict,
+                                               source=match['binfo'],
+                                               source_time=match['ainfo'].split('|')[-1],
+                                               purpose='DB Credentials'))
+
+            if match["ainfo"].startswith("KeepPassOrKeyInCode|"):
+                content = self.unescape_content(match)
+                for innermatch in websense_client_password.finditer(content):
+                    if innermatch.group("secret"):
+                        innermatch_dict = remove_quotes(innermatch.groupdict())
+                        result.append(Credential(**innermatch_dict,
+                                               source=match['binfo'],
+                                               source_time=match['ainfo'].split('|')[-1],
+                                               purpose='Websense Client Password'))
+
         return result
 
     def unescape_content(self, match):
