Content-based Purview SITs replicating Snaffler's sensitive-file detections. Complements filename-based hunting by detecting the same secrets by content, everywhere M365 reaches.
Detects credentials and sensitive configuration directives in Cisco IOS/NX-OS configuration files, including enable passwords/secrets, SNMP community strings with write access, PAC keys, and NVRAM/LDAP authentication indicators. Mirrors Snaffler rule KeepNetConfigCreds.
Detects credentials passed as command-line arguments in Windows batch scripts, PowerShell, and shell scripts. Covers net use /user:, schtasks /rp, psexec -p, cmdkey, and bare password= assignments. Mirrors Snaffler rule KeepCmdCredentials.
Detects Microsoft Defender for Identity (MDI) SensorConfiguration.json files containing DirectoryServicesAccount credentials and Microsoft Defender for Endpoint (MDE) mdatp_managed.json files containing onboardingInfo blobs, both of which represent high-value security tool configuration secrets. Mirrors Snaffler rule KeepDefenderConfigByName.
Detects Microsoft Deployment Toolkit (MDT) customsettings.ini files that embed domain join credentials, including DomainAdminPassword and DomainAdmin account values used during automated OS deployments. Mirrors Snaffler rule KeepDomainJoinCredsByName / KeepDomainJoinCredsByPath.
Detects Firefox logins.json encrypted password entries in the JSON format used by Firefox's NSS (Network Security Services) credential store. Mirrors Snaffler rule KeepFFRegexRed.
Detects passwords stored in FTP server and client configuration files, including FileZilla server/client recentservers.xml base64-encoded passwords, proftpd-style shadow passwd lines with hashed credentials, and sftp-config.json plaintext password fields. Mirrors Snaffler rules KeepFtpServerConfigByName and KeepFtpClientConfigConfigByName.
Detects embedded credentials (username:password) in Git repository URLs. Mirrors Snaffler rule KeepGitCredsByName.
Detects Apache htpasswd file entries containing hashed passwords in MD5 ($apr1$), bcrypt ($2y$, $2b$, $2a$), or SHA ({SHA}) formats. Mirrors Snaffler rule KeepConfigByName.
Detects secrets embedded in Infrastructure as Code files including Terraform/HCL variable assignments and Azure Cloud Service configuration (.cscfg) XML settings. Mirrors Snaffler rule KeepInfraAsCodeByExtension.
Detects Jenkins-encrypted credential values in the {base64...} format used by Jenkins credentials.xml and similar configuration files. Mirrors Snaffler rule KeepJenkinsByName.
Detects MediaWiki LocalSettings.php files containing database passwords ($wgDBpassword), secret keys ($wgSecretKey), and upgrade keys ($wgUpgradeKey). These are high-value secrets that grant database and administrative access to a MediaWiki installation. Mirrors Snaffler rule KeepPhpByName.
Detects credential list files — documents containing multiple username/password pairs in a structured, enumerated format (passwords.txt, secrets.*, BitlockerLAPSPasswords.csv, etc.). Distinguishes a credential roster from prose mentioning "password". Mirrors Snaffler rule KeepPasswordFilesByName.
Detects PostgreSQL .pgpass file entries containing hostname, port, database, username, and password in colon-separated format. Mirrors Snaffler rule KeepDbMgtConfigByName.
Detects PowerShell credential constructs that embed plaintext passwords, including ConvertTo-SecureString with -AsPlainText and [Net.NetworkCredential]::new() calls. Mirrors Snaffler rule KeepPsCredentials.
Detects secret credentials embedded in Ruby on Rails configuration files: secret_token/secret_key_base assignments (config/initializers/secret_token.rb, config/secrets.yml), database passwords (config/database.yml), and Chef knife client keys (knife.rb). These files are frequently committed to source control and expose application secrets and infrastructure access. Mirrors Snaffler rule KeepRubyByName.
Detects DPAPI-encrypted saved passwords stored in Windows Remote Desktop Protocol (.rdp) configuration files. The characteristic line "password 51:b:<base64-blob>" contains a DPAPI ciphertext blob representing a saved RDP credential. These files are frequently found on file shares, workstations, and in source-control repositories and represent a high-severity finding because the blob can be decrypted on the originating machine under the same user context. Mirrors Snaffler rule KeepRdpPasswords.
Detects passwords and credentials stored in remote access configuration files including RDCMan .rdg files (logonCredentials blocks), mRemoteNG confCons.xml (Node Password attributes), and OpenVPN .ovpn files with embedded auth directives. MobaXterm .ini files are a Snaffler filename target only — passwords are stored obfuscated (proprietary XOR cipher) with no plaintext fingerprint detectable by content regex. Mirrors Snaffler rules KeepRemoteAccessConfByExtension and KeepRemoteAccessConfByName.
Detects S3 and S3A URI references in source code or configuration files when accompanied by AWS credential context. S3 URIs alone are high-FP enumeration signals; this pattern only fires at 75+ confidence when AWS credential evidence (access key, secret, AKIA prefix, bucket context) is present within 300 characters. Mirrors Snaffler rule KeepS3UriPrefixInCode.
Detects credentials embedded in shell history files (.bash_history, .zsh_history, ConsoleHost_History.txt) including exported environment variable secrets, mysql command-line passwords, curl basic auth credentials, and sshpass invocations. Mirrors Snaffler rule KeepShellHistoryByName.
Detects database connection credentials embedded in source code across Java (JDBC), PHP, Perl, Ruby, and Python. Matches database driver connect() calls containing credentials inline. Mirrors Snaffler rules KeepJavaDbConnStrings, KeepPhpDbConnStrings, KeepPerlDbConnStrings, KeepRubyDbConnStrings, KeepPyDbConnStrings.
Detects SQL statements that create database user accounts or logins with embedded passwords, covering SQL Server CREATE LOGIN, MySQL CREATE USER IDENTIFIED BY, and PostgreSQL CREATE USER WITH PASSWORD. Mirrors Snaffler rule KeepSqlAccountCreation.
Detects plaintext passwords stored in Windows unattend.xml answer files, specifically the AdministratorPassword and AutoLogon <Value> XML elements used during Windows automated setup. These files frequently contain Administrator or auto-logon credentials in cleartext and represent a high severity finding when discovered on file shares or in software repositories. Mirrors Snaffler rule KeepUnattendXmlRegexRed.