From 8f138651388fb941ebc6e28dfa95405e5e1646c8 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Wed, 9 Apr 2025 10:18:07 +0000
Subject: [PATCH] page(threat-hunting): Clear-text password search

---
 source/threat-hunting/index.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 3d40581..80fcdcb 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-04-08
+updated: 2025-04-09
 ---
 
 Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@@ -387,6 +387,16 @@ SPL:
 | table Time, index, host, EventCode, EventDescription, parent_process, parent_process_path, process, user, Name, Email
 ```
 
+## Clear-text password search
+
+References: [1](https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/#credential-extraction), [2](https://thedfirreport.com/2024/08/26/blacksuit-ransomware/#collection), [3](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/#credential-access)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="findstr.exe" Processes.process="*password*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```
+
 ## ClickFix detection
 
 Description: Detecting ClickFix execution via the Windows Run dialog.