From 2534b927e99c6d001db696d21f1231a9572bb4ad Mon Sep 17 00:00:00 2001 From: Roman Babenko Date: Mon, 9 Sep 2024 11:38:54 +0300 Subject: [PATCH] Command line patterns (#605) * CMD arguments patterns * CMD passwor,token,salt * BM ci Upd --- .ci/benchmark.txt | 95 ++++---- credsweeper/rules/config.yaml | 56 +++++ tests/__init__.py | 10 +- tests/data/depth_3.json | 297 +++++++++++++++++++++++++ tests/data/doc.json | 71 ++++++ tests/data/ml_threshold.json | 378 ++++++++++++++++++++++++++++++++ tests/data/output.json | 297 +++++++++++++++++++++++++ tests/samples/cmd_credential | 4 + tests/samples/cmd_secure_string | 2 + 9 files changed, 1161 insertions(+), 49 deletions(-) create mode 100644 tests/samples/cmd_credential create mode 100644 tests/samples/cmd_secure_string diff --git a/.ci/benchmark.txt b/.ci/benchmark.txt index fe555cbaf..70265b227 100644 --- a/.ci/benchmark.txt +++ b/.ci/benchmark.txt @@ -1,9 +1,9 @@ -META MD5 67039fe64aba3375bbcf27f16984acc5 -DATA MD5 4833f5614e463ecc7989b00a29499240 -DATA: 16345157 interested lines. MARKUP: 62644 items +META MD5 09ddf796180413981211440a025cfb27 +DATA MD5 7b62b847e5b876e1418ad2fc26d2ed35 +DATA: 16345596 interested lines. MARKUP: 62804 items FileType FileNumber ValidLines Positives Negatives Templates --------------- ------------ ------------ ----------- ----------- ----------- - 194 28318 66 414 85 + 194 28318 70 417 91 .1 2 641 2 5 .admx 1 26 1 .adoc 1 158 13 6 1 @@ -12,30 +12,30 @@ FileType FileNumber ValidLines Positives Negatives Templat .axaml 5 286 5 .backup 1 62 2 1 .bash 2 2158 2 1 -.bat 4 233 14 2 +.bat 5 248 2 14 2 .bats 15 2804 14 49 9 .bazel 3 424 8 .build 2 40 3 .bundle 4 1512 580 .bzl 3 2503 11 -.c 179 284009 8 942 5 +.c 179 284009 8 944 5 .cc 29 30562 617 1 .cf 3 126 2 1 .cfg 1 385 1 1 -.cjs 1 725 3 6 +.cjs 1 725 3 7 .clj 2 133 3 .cljc 5 2421 11 .cls 1 657 1 .cmd 4 401 2 3 .cnf 8 858 15 36 16 .coffee 1 585 2 -.conf 60 4945 53 67 53 +.conf 60 4945 55 64 53 .config 20 492 16 38 1 .cpp 15 5688 2 61 .creds 1 10 1 1 .crlf 1 27 1 .crt 2 4979 211 -.cs 268 79532 158 894 94 +.cs 268 79532 160 894 94 .cshtml 5 180 12 .csp 3 379 9 .csproj 1 14 1 @@ -63,7 +63,7 @@ FileType FileNumber ValidLines Positives Negatives Templat .gd 1 37 1 .gml 3 3075 16 .gni 3 5017 19 -.go 1080 566476 692 4117 739 +.go 1080 566476 695 4122 738 .golden 5 1168 1 13 29 .gradle 45 3265 4 90 100 .graphql 7 420 13 @@ -76,29 +76,30 @@ FileType FileNumber ValidLines Positives Negatives Templat .html 53 15327 22 110 18 .idl 2 777 1 4 .iml 6 699 30 -.in 6 2130 6 43 10 +.in 6 2130 6 44 10 .inc 2 56 2 1 .ini 11 1437 25 12 18 .ipynb 1 134 5 -.j 1 241 2 2 +.j 1 241 4 .j2 30 5530 6 186 10 -.java 621 134132 360 1366 171 +.java 621 134132 361 1367 170 .jenkinsfile 1 58 2 6 .jinja2 1 64 2 -.js 659 536413 535 2489 330 -.json 850 13046270 1070 10897 140 +.js 659 536413 535 2496 328 +.json 851 13046493 1071 10911 140 .jsp 13 3202 1 40 .jsx 7 857 19 .jwt 1 1 2 .key 83 2737 70 14 -.kt 123 20774 67 379 3 +.ks 1 25 1 +.kt 123 20774 64 382 3 .l 1 982 1 -.las 1 6656 35 +.las 1 6656 36 .lasso 1 230 7 .lasso9 1 164 5 .ldif 2 286 20 .ldiff 1 20 1 -.ldml 1 6656 35 +.ldml 1 6656 36 .leex 1 9 2 .less 4 3023 12 .libsonnet 2 210 1 11 @@ -112,10 +113,10 @@ FileType FileNumber ValidLines Positives Negatives Templat .markdown 3 139 3 1 .markerb 3 12 3 .marko 1 21 2 -.md 674 149399 710 2336 624 +.md 675 149568 738 2395 623 .mdx 3 549 7 .mjml 1 18 1 -.mjs 22 4424 76 340 +.mjs 22 4424 75 340 .mk 1 5878 13 .ml 1 1856 16 .mlir 2 1596 19 @@ -124,7 +125,7 @@ FileType FileNumber ValidLines Positives Negatives Templat .mqh 1 1023 2 .msg 1 26644 1 1 .mysql 1 36 2 -.ndjson 2 5006 69 237 2 +.ndjson 2 5006 75 239 2 .nix 4 211 12 .nolint 1 2 1 .odd 1 1281 43 @@ -134,7 +135,7 @@ FileType FileNumber ValidLines Positives Negatives Templat .patch 4 109405 4 27 .pbxproj 1 941 2 .pem 48 1169 47 8 -.php 371 75710 128 1619 79 +.php 371 75710 129 1620 79 .pl 16 14727 6 34 .pm 3 744 7 .po 3 2994 15 @@ -145,20 +146,20 @@ FileType FileNumber ValidLines Positives Negatives Templat .ppk 1 45 36 .private 1 15 1 .proj 1 85 5 -.properties 48 1621 52 27 33 +.properties 48 1621 54 27 32 .proto 5 5768 2 49 -.ps1 16 8509 15 64 2 +.ps1 16 8509 15 74 2 .ps1xml 1 5022 1 .pug 2 193 2 .purs 1 69 4 .pxd 1 150 5 2 -.py 890 291553 680 3292 728 +.py 890 291553 684 3298 724 .pyi 4 1361 9 .pyp 1 167 1 .pyx 2 1094 23 .r 4 62 6 3 1 .rake 2 51 2 -.rb 860 131838 258 3311 613 +.rb 860 131838 259 3335 613 .re 1 31 1 .red 1 159 1 .release 1 13 4 @@ -168,23 +169,23 @@ FileType FileNumber ValidLines Positives Negatives Templat .rnh 1 1354 3 2 .rno 1 7229 2 .rrc 39 1404 281 -.rs 31 9855 2 233 11 +.rs 31 9855 2 234 11 .rsc 1 691 1 -.rsp 16 7101 19 10 28 -.rst 86 33980 70 321 68 +.rsp 16 7101 20 10 27 +.rst 86 33980 69 323 68 .rules 1 6 2 .sample 2 25 3 4 4 .sbt 3 570 5 2 .scala 40 5071 22 101 .scss 16 8553 32 1 .secrets 1 11 1 -.sh 143 21525 51 466 30 +.sh 143 21525 54 480 30 .slim 1 153 1 2 .smali 1 775 18 .snap 3 1708 9 30 2 .spec 2 332 2 .spin 1 565 1 -.sql 27 6606 126 57 3 +.sql 27 6606 126 60 3 .storyboard 20 1802 341 .strings 20 1240 137 .stub 3 84 6 @@ -208,35 +209,41 @@ FileType FileNumber ValidLines Positives Negatives Templat .ts 583 106730 159 1800 201 .tsx 54 7914 1 114 5 .ttar 1 452 1 -.txt 440 78102 5299 6343 49 +.txt 440 78102 5271 6373 49 .utf8 1 77 2 .vsixmanifest 1 36 1 .vsmdi 1 6 2 .vue 50 8736 1 154 1 -.xaml 21 8103 162 +.xaml 21 8103 163 .xcscheme 1 109 6 .xib 11 503 169 .xml 9 689 9 .xsl 1 311 1 -.yaml 137 19004 123 345 44 -.yml 418 36162 545 892 380 +.yaml 137 19004 125 345 42 +.yml 419 36169 548 891 379 .zsh 6 872 12 .zsh-theme 1 97 1 -TOTAL: 10259 16345157 12150 50325 5111 -credsweeper result_cnt : 11387, lost_cnt : 0, true_cnt : 11084, false_cnt : 303 +TOTAL: 10264 16345596 12186 50511 5103 +NEARBY (33, 41) 1479585,7708ebf0,GitHub,6c73b80a,data/6c73b80a/test/7708ebf0.go,5079,5079,F,F,33,43,F,F,,,,,0.0,0,F,F,F,Password +NEARBY (33, 41) 1479586,7708ebf0,GitHub,6c73b80a,data/6c73b80a/test/7708ebf0.go,5083,5083,F,F,33,43,F,F,,,,,0.0,0,F,F,F,Password +credsweeper result_cnt : 11418, lost_cnt : 2, true_cnt : 11110, false_cnt : 306 Rules Positives Negatives Templates Reported TP FP TN FN FPR FNR ACC PRC RCL F1 ------------------------------ ----------- ----------- ----------- ---------- ----- ---- ----- ---- -------- -------- -------- -------- -------- -------- -API 128 3161 189 119 115 4 3346 13 0.001194 0.101562 0.995112 0.966387 0.898438 0.931174 +API 129 3162 189 118 115 3 3348 14 0.000895 0.108527 0.995115 0.974576 0.891473 0.931174 AWS Client ID 167 21 0 160 160 0 21 7 0.000000 0.041916 0.962766 1.000000 0.958084 0.978593 AWS Multi 75 16 0 87 75 11 5 0 0.687500 0.000000 0.879121 0.872093 1.000000 0.931677 AWS S3 Bucket 66 24 0 92 66 24 0 0 1.000000 0.000000 0.733333 0.733333 1.000000 0.846154 Atlassian Old PAT token 27 308 3 12 3 8 303 24 0.025723 0.888889 0.905325 0.272727 0.111111 0.157895 -Auth 418 2727 76 393 376 17 2786 42 0.006065 0.100478 0.981683 0.956743 0.899522 0.927250 +Auth 420 2734 76 393 376 17 2793 44 0.006050 0.104762 0.981115 0.956743 0.895238 0.924969 Azure Access Token 19 0 0 12 12 0 0 7 0.368421 0.631579 1.000000 0.631579 0.774194 BASE64 Private Key 7 4 0 7 7 0 4 0 0.000000 0.000000 1.000000 1.000000 1.000000 1.000000 BASE64 encoded PEM Private Key 7 0 0 5 5 0 0 2 0.285714 0.714286 1.000000 0.714286 0.833333 Bitbucket Client ID 143 2097 9 48 28 19 2087 115 0.009022 0.804196 0.940418 0.595745 0.195804 0.294737 Bitbucket Client Secret 301 809 10 40 29 11 808 272 0.013431 0.903654 0.747321 0.725000 0.096346 0.170088 +CMD ConvertTo-SecureString 13 4 0 10 10 0 4 3 0.000000 0.230769 0.823529 1.000000 0.769231 0.869565 +CMD Password 21 128 6 17 17 0 134 4 0.000000 0.190476 0.974194 1.000000 0.809524 0.894737 +CMD Secret 1 1 0 1 1 0 1 0 0.000000 0.000000 1.000000 1.000000 1.000000 1.000000 +CMD Token 6 0 0 5 5 0 0 1 0.166667 0.833333 1.000000 0.833333 0.909091 Certificate 23 471 1 24 18 6 466 5 0.012712 0.217391 0.977778 0.750000 0.782609 0.765957 Credential 95 420 74 93 93 0 494 2 0.000000 0.021053 0.996604 1.000000 0.978947 0.989362 Docker Swarm Token 2 0 0 1 1 0 0 1 0.500000 0.500000 1.000000 0.500000 0.666667 @@ -253,17 +260,17 @@ Grafana Provisioned API Key 22 1 0 JSON Web Token 170 61 0 131 131 0 61 39 0.000000 0.229412 0.831169 1.000000 0.770588 0.870432 Jira / Confluence PAT token 0 4 0 0 0 4 0 0.000000 1.000000 Jira 2FA 15 6 1 12 12 0 7 3 0.000000 0.200000 0.863636 1.000000 0.800000 0.888889 -Key 3918 15693 482 3973 3880 93 16082 38 0.005750 0.009699 0.993480 0.976592 0.990301 0.983399 +Key 3899 15718 482 3963 3863 100 16100 36 0.006173 0.009233 0.993233 0.974767 0.990767 0.982702 Nonce 91 49 0 87 87 0 49 4 0.000000 0.043956 0.971429 1.000000 0.956044 0.977528 Other 0 8291 1 0 0 8292 0 0.000000 1.000000 PEM Private Key 1019 1483 0 1023 1019 4 1479 0 0.002697 0.000000 0.998401 0.996090 1.000000 0.998041 -Password 1843 7527 2711 1719 1661 58 10180 182 0.005665 0.098752 0.980134 0.966259 0.901248 0.932622 +Password 1854 7542 2702 1728 1669 57 10187 185 0.005564 0.099784 0.979997 0.966976 0.900216 0.932402 Salt 45 76 2 42 41 1 77 4 0.012821 0.088889 0.959350 0.976190 0.911111 0.942529 Secret 1297 1575 799 1270 1268 2 2372 29 0.000842 0.022359 0.991555 0.998425 0.977641 0.987924 Seed 1 6 0 0 0 6 1 0.000000 1.000000 0.857143 0.000000 Slack Token 4 1 0 4 4 0 1 0 0.000000 0.000000 1.000000 1.000000 1.000000 1.000000 -Token 648 4177 438 599 586 13 4602 62 0.002817 0.095679 0.985750 0.978297 0.904321 0.939856 +Token 646 4176 438 598 586 12 4602 60 0.002601 0.092879 0.986312 0.979933 0.907121 0.942122 Twilio API Key 0 5 2 0 0 7 0 0.000000 1.000000 -URL Credentials 208 145 225 212 205 6 364 3 0.016216 0.014423 0.984429 0.971564 0.985577 0.978520 +URL Credentials 210 151 220 213 207 5 366 3 0.013477 0.014286 0.986231 0.976415 0.985714 0.981043 UUID 1069 265 0 1068 1067 1 264 2 0.003774 0.001871 0.997751 0.999064 0.998129 0.998596 - 12150 50325 5111 11395 11084 303 50022 1066 0.006021 0.087737 0.978087 0.973391 0.912263 0.941836 + 12186 50511 5103 11426 11110 306 50205 1076 0.006058 0.088298 0.977957 0.973196 0.911702 0.941446 diff --git a/credsweeper/rules/config.yaml b/credsweeper/rules/config.yaml index 29c266f8e..1fd586ba8 100644 --- a/credsweeper/rules/config.yaml +++ b/credsweeper/rules/config.yaml @@ -660,6 +660,62 @@ - code - doc +- name: CMD ConvertTo-SecureString + severity: high + confidence: moderate + type: pattern + values: + - (^|\W|\\[tnr])(?PConvertTo-SecureString(\s\s*-(String|AsPlainText|Force))*)\s\s*(?P(\\?[\"']){1,3})?(?P(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,800})(?(value_leftquote)(?P(\\?[\"']){1,3})) + filter_type: GeneralKeyword + use_ml: true + required_substrings: + - convertto-securestring + min_line_len: 27 + target: + - code + +- name: CMD Password + severity: high + confidence: moderate + type: pattern + values: + - (^|\W|\\[tnr])(?P-[A-Za-z_-]*(?i:pass(in|out|word|phrase)))\s\s*(?!-)(?P(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,80})(?(value_leftquote)(?P(\\?[\"']){1,3})) + filter_type: GeneralKeyword + use_ml: true + required_substrings: + - pass + min_line_len: 12 + target: + - code + +- name: CMD Token + severity: high + confidence: moderate + type: pattern + values: + - (^|\W|\\[tnr])(?P-[A-Za-z_-]*(?i:token))\s\s*(?!-)(?P(\\?[\"']){1,3})?(?P(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P(\\?[\"']){1,3})) + filter_type: GeneralKeyword + use_ml: true + required_substrings: + - token + min_line_len: 12 + target: + - code + +- name: CMD Secret + severity: high + confidence: moderate + type: pattern + values: + - (^|\W|\\[tnr])(?P-[A-Za-z_-]*(?i:secret)[A-Za-z_-]*)\s\s*(?!-)(?P(\\?[\"']){1,3})?(pass:)?(?!file:|env:|fd:)(?P(?(value_leftquote)[^\"'\\]|[^\s\"'\\]){4,4000})(?(value_leftquote)(?P(\\?[\"']){1,3})) + filter_type: GeneralKeyword + use_ml: true + required_substrings: + - secret + min_line_len: 12 + target: + - code + - name: URL Credentials severity: high confidence: moderate diff --git a/tests/__init__.py b/tests/__init__.py index 9ebe9b7ba..b2d876e71 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -1,20 +1,20 @@ from pathlib import Path # total number of files in test samples -SAMPLES_FILES_COUNT: int = 130 +SAMPLES_FILES_COUNT: int = 132 # the lowest value of ML threshold is used to display possible lowest values NEGLIGIBLE_ML_THRESHOLD = 0.0001 # credentials count after scan -SAMPLES_CRED_COUNT: int = 364 -SAMPLES_CRED_LINE_COUNT: int = 381 +SAMPLES_CRED_COUNT: int = 378 +SAMPLES_CRED_LINE_COUNT: int = 395 # credentials count after post-processing -SAMPLES_POST_CRED_COUNT: int = 336 +SAMPLES_POST_CRED_COUNT: int = 347 # with option --doc -SAMPLES_IN_DOC = 417 +SAMPLES_IN_DOC = 419 # archived credentials that are not found without --depth SAMPLES_IN_DEEP_1 = SAMPLES_POST_CRED_COUNT + 23 diff --git a/tests/data/depth_3.json b/tests/data/depth_3.json index 3fb5e607b..2ed9c503b 100644 --- a/tests/data/depth_3.json +++ b/tests/data/depth_3.json @@ -1208,6 +1208,141 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "mysql -u root --password Sne3sd8AZjq", + "line_num": 2, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "Sne3sd8AZjq", + "value_start": 25, + "value_end": 36, + "variable": "password", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.459431618637298, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": "super-secret_token", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": "super-secret_token", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "NOT_AVAILABLE", + "ml_probability": null, + "rule": "UUID", + "severity": "info", + "confidence": "strong", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": null, + "variable_start": -2, + "variable_end": -2, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD ConvertTo-SecureString", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "\"ConvertTo-SecureString \\\"4yd21JKH~GE8dkd\\\"\"", + "line_num": 2, + "path": "tests/samples/cmd_secure_string", + "info": "tests/samples/cmd_secure_string|RAW", + "value": "4yd21JKH~GE8dkd", + "value_start": 26, + "value_end": 41, + "variable": "ConvertTo-SecureString", + "variable_start": 1, + "variable_end": 23, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.3294387224237187, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -1937,6 +2072,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.898, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--user master --password dipPr127Gg!", + "line_num": 28, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "tests/samples/doc_id_pair_passwd_pair|RAW", + "value": "dipPr127Gg!", + "value_start": 25, + "value_end": 36, + "variable": "password", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -2180,6 +2342,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.922, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--username master --password dipPr137Gg!", + "line_num": 38, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "tests/samples/doc_id_pair_passwd_pair|RAW", + "value": "dipPr137Gg!", + "value_start": 29, + "value_end": 40, + "variable": "password", + "variable_start": 20, + "variable_end": 28, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -3746,6 +3935,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.644, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--Password Prl23Db#@", + "line_num": 15, + "path": "tests/samples/doc_passwd_pair", + "info": "tests/samples/doc_passwd_pair|RAW", + "value": "Prl23Db#@", + "value_start": 11, + "value_end": 20, + "variable": "Password", + "variable_start": 2, + "variable_end": 10, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4070,6 +4286,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.927, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "-password \"Prl23Db#@\"", + "line_num": 33, + "path": "tests/samples/doc_passwd_pair", + "info": "tests/samples/doc_passwd_pair|RAW", + "value": "Prl23Db#@", + "value_start": 11, + "value_end": 20, + "variable": "password", + "variable_start": 1, + "variable_end": 9, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4421,6 +4664,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.999, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--token AIhq5Xyb1Gga9Q5", + "line_num": 6, + "path": "tests/samples/doc_secret_pair", + "info": "tests/samples/doc_secret_pair|RAW", + "value": "AIhq5Xyb1Gga9Q5", + "value_start": 8, + "value_end": 23, + "variable": "token", + "variable_start": 2, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.773557262275185, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4475,6 +4745,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 1.0, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "-secret AIhq5Xyb1Gga9Q10", + "line_num": 11, + "path": "tests/samples/doc_secret_pair", + "info": "tests/samples/doc_secret_pair|RAW", + "value": "AIhq5Xyb1Gga9Q10", + "value_start": 8, + "value_end": 24, + "variable": "secret", + "variable_start": 1, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.875, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", diff --git a/tests/data/doc.json b/tests/data/doc.json index d892e769d..55f8b94c1 100644 --- a/tests/data/doc.json +++ b/tests/data/doc.json @@ -762,6 +762,77 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "NOT_AVAILABLE", + "ml_probability": null, + "rule": "ID_PAIR_PASSWD_PAIR", + "severity": "medium", + "confidence": "moderate", + "line_data_list": [ + { + "line": "mysql -u root --password Sne3sd8AZjq", + "line_num": 2, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "--password", + "value_start": 14, + "value_end": 24, + "variable": "root", + "variable_start": 9, + "variable_end": 13, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.45754247590989, + "valid": false + } + }, + { + "line": "mysql -u root --password Sne3sd8AZjq", + "line_num": 2, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "Sne3sd8AZjq", + "value_start": 25, + "value_end": 36, + "variable": "password", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.459431618637298, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "NOT_AVAILABLE", + "ml_probability": null, + "rule": "UUID", + "severity": "info", + "confidence": "strong", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "tests/samples/cmd_credential|RAW", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": null, + "variable_start": -2, + "variable_end": -2, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", diff --git a/tests/data/ml_threshold.json b/tests/data/ml_threshold.json index 7f0ebc7eb..b5295088b 100644 --- a/tests/data/ml_threshold.json +++ b/tests/data/ml_threshold.json @@ -1032,6 +1032,222 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.261, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "1b1ae498fd0f808dbf99a7c4e9353a77e60be8c015d08169eee510028cd13796", + "line_num": 1, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "4d71ba826dcec15bc11f955129a7248a0a603d9b746e28d5ac55fc6bc914ee12", + "value_start": 27, + "value_end": 38, + "variable": "1e089e3c5323ad80a90767bdd5907297b4138163f027097fd3bdbeab528d2d68", + "variable_start": 16, + "variable_end": 26, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.0957952550009344, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "21198ab968bcff9c0f86c400ea3c23c42c7e9358acbd6bb3dc2c30d4b922f2f5", + "line_num": 2, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "6f7f70541282a66e76b8a51f632c06ea1cd249383b93c6115918c8be1f1751c2", + "value_start": 25, + "value_end": 36, + "variable": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.459431618637298, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.49, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "8077be1590a0df320ec4804956dea4c0091df526e2e8f64a35c6e5425bdbae44", + "line_num": 3, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "1d93a94722ecc94f7b40986e725da7bc319e2ba88561ab5fbc48ef4148566754", + "value_start": 31, + "value_end": 41, + "variable": "e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a", + "variable_start": 21, + "variable_end": 29, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.45754247590989, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "1ae7e294353b5948ae71ceca2ef2328708aaafe583bf66181a3ae1914d8f4479", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "60baf802074f156f49eeedf34500634667760f26f06faa332467de4e8d6486d5", + "value_start": 21, + "value_end": 57, + "variable": "80bedcca8ae855767b3c0e2329f4596d23673e6aa3a47393afbe194b75373f4c", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "1ae7e294353b5948ae71ceca2ef2328708aaafe583bf66181a3ae1914d8f4479", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "60baf802074f156f49eeedf34500634667760f26f06faa332467de4e8d6486d5", + "value_start": 21, + "value_end": 57, + "variable": "80bedcca8ae855767b3c0e2329f4596d23673e6aa3a47393afbe194b75373f4c", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "NOT_AVAILABLE", + "ml_probability": null, + "rule": "UUID", + "severity": "info", + "confidence": "strong", + "line_data_list": [ + { + "line": "1ae7e294353b5948ae71ceca2ef2328708aaafe583bf66181a3ae1914d8f4479", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "60baf802074f156f49eeedf34500634667760f26f06faa332467de4e8d6486d5", + "value_start": 21, + "value_end": 57, + "variable": null, + "variable_start": -2, + "variable_end": -2, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.254, + "rule": "CMD ConvertTo-SecureString", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "8ce10e2726de21e3cd3df99988615e1c17378ca1e14388b514af23bef06bbb8c", + "line_num": 1, + "path": "tests/samples/cmd_secure_string", + "info": "", + "value": "c48b122a31e8b2e7f79b9a9dae2edab6859a5a9d53ff0c3fa4e8a554335c5008", + "value_start": 38, + "value_end": 50, + "variable": "35fd1a9a3f2a1f51ff8b5f3ca746dacab1cfa3d69bf53e51f924676c5006a88d", + "variable_start": 0, + "variable_end": 37, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4245614587540074, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD ConvertTo-SecureString", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "b0cd460e2ef9a0cfdfc927f79a7e36e5561c4c75337b3c61a59e6d67d10c3860", + "line_num": 2, + "path": "tests/samples/cmd_secure_string", + "info": "", + "value": "244b5a405cb86f133c2418647bbef87677ab90596d891bea18b599d95ed9298a", + "value_start": 26, + "value_end": 41, + "variable": "5eb4f5d9d0102e8a62f2d83a0c4464d23fc799a261375a2d173fc8a9dcd619bd", + "variable_start": 1, + "variable_end": 23, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.3294387224237187, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -1815,6 +2031,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.898, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "26d50f69e93c70db8d2db47b12ce82c95b851e32f7f4ab765543d33f833d46d2", + "line_num": 28, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "", + "value": "91fe0763720ff8d6cf1660833bc54ee06abdb28153a4c3fd13b86742b2c7a70c", + "value_start": 25, + "value_end": 36, + "variable": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -2058,6 +2301,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.922, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "d6a54231c56f8beb50298e2cba7572b4b9144b3e88ac576c820cd5d0bc40f726", + "line_num": 38, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "", + "value": "cdc3e0e1a552e995265b0bb6a7f7cfb8a655fc48935a83e7c7b6acae83cb74bd", + "value_start": 29, + "value_end": 40, + "variable": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", + "variable_start": 20, + "variable_end": 28, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4002,6 +4272,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.644, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "e774715f7708ac9a152613b93fa3bc54c00d3ad9a839db68e4a5cadb9fa38121", + "line_num": 15, + "path": "tests/samples/doc_passwd_pair", + "info": "", + "value": "b6e1eeb9d2a5110b00f7598fdc636407bfea849e9c6c6e5efbea1425206a1a34", + "value_start": 11, + "value_end": 20, + "variable": "e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a", + "variable_start": 2, + "variable_end": 10, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4353,6 +4650,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.927, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "a82441fcf39ed197055ece4ae41c9ab758995bcac8e83223b434695dacb9658e", + "line_num": 33, + "path": "tests/samples/doc_passwd_pair", + "info": "", + "value": "b6e1eeb9d2a5110b00f7598fdc636407bfea849e9c6c6e5efbea1425206a1a34", + "value_start": 11, + "value_end": 20, + "variable": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", + "variable_start": 1, + "variable_end": 9, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4731,6 +5055,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.999, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "79a6a4295525d5f13bd7cbe3312d800fe97229a1ec2a160e0802f38fcaa6ab59", + "line_num": 6, + "path": "tests/samples/doc_secret_pair", + "info": "", + "value": "ace0a535a97f6664116993775ddf3644f44f3824498297e9144212c0bea838e2", + "value_start": 8, + "value_end": 23, + "variable": "3c469e9d6c5875d37a43f353d4f88e61fcf812c66eee3457465a40b0da4153e0", + "variable_start": 2, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.773557262275185, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4785,6 +5136,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 1.0, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "1ea5221b35ed6a8738b4ff71eb4c877016c0084570d445dac58e94a139375a6c", + "line_num": 11, + "path": "tests/samples/doc_secret_pair", + "info": "", + "value": "4bbbb84dece2876b41948e42f0c314a1650953520afd45725e8eb64da3148b4f", + "value_start": 8, + "value_end": 24, + "variable": "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b", + "variable_start": 1, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.875, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", diff --git a/tests/data/output.json b/tests/data/output.json index ec34e6e14..d43e41100 100644 --- a/tests/data/output.json +++ b/tests/data/output.json @@ -1005,6 +1005,141 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "mysql -u root --password Sne3sd8AZjq", + "line_num": 2, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "Sne3sd8AZjq", + "value_start": 25, + "value_end": 36, + "variable": "password", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.459431618637298, + "valid": false + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": "super-secret_token", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.677, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": "super-secret_token", + "variable_start": 2, + "variable_end": 20, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "NOT_AVAILABLE", + "ml_probability": null, + "rule": "UUID", + "severity": "info", + "confidence": "strong", + "line_data_list": [ + { + "line": "--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "line_num": 4, + "path": "tests/samples/cmd_credential", + "info": "", + "value": "1ace4d19-fa7e-b4e2-c3f0-9129474bcd81", + "value_start": 21, + "value_end": 57, + "variable": null, + "variable_start": -2, + "variable_end": -2, + "entropy_validation": { + "iterator": "BASE36_CHARS", + "entropy": 3.421470487212877, + "valid": true + } + } + ] + }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.996, + "rule": "CMD ConvertTo-SecureString", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "\"ConvertTo-SecureString \\\"4yd21JKH~GE8dkd\\\"\"", + "line_num": 2, + "path": "tests/samples/cmd_secure_string", + "info": "", + "value": "4yd21JKH~GE8dkd", + "value_start": 26, + "value_end": 41, + "variable": "ConvertTo-SecureString", + "variable_start": 1, + "variable_end": 23, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.3294387224237187, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -1734,6 +1869,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.898, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--user master --password dipPr127Gg!", + "line_num": 28, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "", + "value": "dipPr127Gg!", + "value_start": 25, + "value_end": 36, + "variable": "password", + "variable_start": 16, + "variable_end": 24, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -1977,6 +2139,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.922, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--username master --password dipPr137Gg!", + "line_num": 38, + "path": "tests/samples/doc_id_pair_passwd_pair", + "info": "", + "value": "dipPr137Gg!", + "value_start": 29, + "value_end": 40, + "variable": "password", + "variable_start": 20, + "variable_end": 28, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.1449378351248165, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -3543,6 +3732,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.644, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--Password Prl23Db#@", + "line_num": 15, + "path": "tests/samples/doc_passwd_pair", + "info": "", + "value": "Prl23Db#@", + "value_start": 11, + "value_end": 20, + "variable": "Password", + "variable_start": 2, + "variable_end": 10, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -3867,6 +4083,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.927, + "rule": "CMD Password", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "-password \"Prl23Db#@\"", + "line_num": 33, + "path": "tests/samples/doc_passwd_pair", + "info": "", + "value": "Prl23Db#@", + "value_start": 11, + "value_end": 20, + "variable": "password", + "variable_start": 1, + "variable_end": 9, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 2.4654972233440207, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4218,6 +4461,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 0.999, + "rule": "CMD Token", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "--token AIhq5Xyb1Gga9Q5", + "line_num": 6, + "path": "tests/samples/doc_secret_pair", + "info": "", + "value": "AIhq5Xyb1Gga9Q5", + "value_start": 8, + "value_end": 23, + "variable": "token", + "variable_start": 2, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.773557262275185, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", @@ -4272,6 +4542,33 @@ } ] }, + { + "api_validation": "NOT_AVAILABLE", + "ml_validation": "VALIDATED_KEY", + "ml_probability": 1.0, + "rule": "CMD Secret", + "severity": "high", + "confidence": "moderate", + "line_data_list": [ + { + "line": "-secret AIhq5Xyb1Gga9Q10", + "line_num": 11, + "path": "tests/samples/doc_secret_pair", + "info": "", + "value": "AIhq5Xyb1Gga9Q10", + "value_start": 8, + "value_end": 24, + "variable": "secret", + "variable_start": 1, + "variable_end": 7, + "entropy_validation": { + "iterator": "BASE64_CHARS", + "entropy": 3.875, + "valid": false + } + } + ] + }, { "api_validation": "NOT_AVAILABLE", "ml_validation": "VALIDATED_KEY", diff --git a/tests/samples/cmd_credential b/tests/samples/cmd_credential new file mode 100644 index 000000000..363036052 --- /dev/null +++ b/tests/samples/cmd_credential @@ -0,0 +1,4 @@ +gpg --decrypt --passphrase N1DdkUD3E73 --output decrypted.txt encrypted.txt.gpg +mysql -u root --password Sne3sd8AZjq +-Domain 'localhost' -Password 'Sjdn43ss@!' +--super-secret_token 1ace4d19-fa7e-b4e2-c3f0-9129474bcd81 diff --git a/tests/samples/cmd_secure_string b/tests/samples/cmd_secure_string new file mode 100644 index 000000000..9b79c43a2 --- /dev/null +++ b/tests/samples/cmd_secure_string @@ -0,0 +1,2 @@ +ConvertTo-SecureString -String -Force dsjUE#$gds8s +"ConvertTo-SecureString \"4yd21JKH~GE8dkd\""