Applications with plaintext passwords

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Applications with plaintext passwords

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1552

# Description of what the query does and its purpose.
description: Table of applications identified as potentially handling plaintext passwords.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

cs_required_modules: 
  - Insight

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  "#event_simpleName" = ProcessRollup2 event_platform="Win" CommandLine=/REDACTED/
  | wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
  | groupBy([FileName], function=[count(aid, distinct=true, as="Hosts")])
  | sort(Hosts)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Falcon automatically attempts to redact plain-text passwords in process command lines to prevent sensitive data exposure. When this occurs, the password string is replaced with the marker `/REDACTED/`.
  Therefore, during analysis we specifically look for the `/REDACTED/` placeholder within command-line arguments as an indicator that Falcon has detected and masked a potential plain-text password.
  
  Reference: https://www.reddit.com/r/crowdstrike/comments/u8ji4i/commandline_redacted/