Command-Line Credential Strings

Name: Command-Line Credential Strings
Creator: TestPattern Community
License: https://opensource.org/licenses/MIT

Detects credentials passed as command-line arguments in Windows batch scripts, PowerShell, and shell scripts. Covers net use /user:, schtasks /rp, psexec -p, cmdkey, and bare password= assignments. Mirrors Snaffler rule KeepCmdCredentials.

Type: regex
Engine: boost_regex
Confidence: medium
Confidence justification: Medium confidence: these command forms are highly suggestive of hardcoded credentials but appear in legitimate automation scripts. Tiered gating with evidence at 75/85 reduces false positives in documentation and approved deployment scripts.
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: CIS Controls, ISO 27001, NIST CSF, PCI-DSS
Data categories: credentials, security
Scope: specific
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

net use [\s\S]{0,300}/user:

Corroborative evidence keywords

net use, [object Object], runas, psexec, password, schtasks, cmdkey

Proximity: 300 characters

Should match

net use //server/share /user:CORP/svc_account P@ssw0rd1 — net use with slash-user flag and inline password credential
net use Z: //fileserver/data /user:domain/administrator S3cr3tPass — net use drive mapping with domain credentials
schtasks /create /tn Backup /tr backup.bat /sc daily /ru DOMAIN/svc /rp Secr3tPass — schtasks with /rp run-password for scheduled task
psexec //remotehost -u admin -p Pass123 cmd.exe — psexec with -p inline password
cmdkey /generic:targetserver /user:admin /pass:P@ssword1 — cmdkey storing generic credential
password='MyS3cretP4ss' — Bare password assignment in script variable

Should not match

net use //server/share — net use without authentication flags - no credential exposure
See the documentation for details on how to configure schtasks and run-password parameters securely. — Prose documentation describing parameters without actual credential values

Known false positives

Deployment documentation or run-book examples that show net use / schtasks syntax with placeholder passwords. Mitigation: Check for placeholder bracket patterns and documentation file extensions; use evidence gating at 75+ tier.
Audit log excerpts showing redacted command lines with masked credential fields. Mitigation: Require the password= or /rp form to contain a non-trivially-short value; evidence proximity at 75 further filters.

Collections

Snaffler Parity — Credential & Secret Files