MDT Domain Join Credentials in CustomSettings.ini

Detects Microsoft Deployment Toolkit (MDT) customsettings.ini files that embed domain join credentials, including DomainAdminPassword and DomainAdmin account values used during automated OS deployments. Mirrors Snaffler rule KeepDomainJoinCredsByName / KeepDomainJoinCredsByPath.

Type: regex
Engine: boost_regex
Confidence: high
Confidence justification: High confidence: DomainAdminPassword= in an ini-format file is the canonical MDT credential pattern with negligible false-positive surface outside deployment tooling. AdminPassword= is slightly broader but gated with MDT context evidence at the 75+ tier.
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: CIS Controls, ISO 27001, NIST CSF
Data categories: credentials, security
Scope: specific
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported

Pattern

(?:DomainAdminPassword|AdminPassword)\s*=\s*\S{4,}

Corroborative evidence keywords

customsettings, JoinDomain, DomainAdminDomain, MachineObjectOU, DeployRoot, DomainAdmin, TaskSequenceID

Proximity: 300 characters

Should match

DomainAdminPassword=P@ssw0rd123 — Direct DomainAdminPassword assignment in MDT customsettings.ini
AdminPassword=Str0ngP@ss! — AdminPassword assignment used in MDT unattend/customsettings blocks
[Default] JoinDomain=corp.local DomainAdmin=svcMDT DomainAdminDomain=CORP DomainAdminPassword=S3cr3tDeploy MachineObjectOU=OU=Workstations,DC=corp,DC=local — Full MDT customsettings.ini Default section with domain join credentials
DomainAdminPassword = SuperSecret99 — DomainAdminPassword with spaces around equals sign

Should not match

DomainAdminPassword= — Empty assignment — no password value present
DomainAdminPassword=abc — Value too short (fewer than 4 non-whitespace chars)
JoinDomain=corp.local — Domain join config with no password field

Known false positives

MDT documentation or training materials showing sample customsettings.ini with placeholder passwords like PLACEHOLDER or password123. Mitigation: Check for common placeholder tokens; require proximity to at least one MDT-specific field (JoinDomain, DeployRoot, MachineObjectOU).
INI files from other deployment tools that happen to use AdminPassword= for unrelated purposes such as BIOS or firmware configuration. Mitigation: Gate AdminPassword form at 75+ with MDT-specific corroborative evidence (JoinDomain, MachineObjectOU, DeployRoot).

Collections

Snaffler Parity — Credential & Secret Files