Remote Access Tool Credential Files
Detects passwords and credentials stored in remote access configuration files including RDCMan .rdg files (logonCredentials blocks), mRemoteNG confCons.xml (Node Password attributes), and OpenVPN .ovpn files with embedded auth directives. MobaXterm .ini files are a Snaffler filename target only — passwords are stored obfuscated (proprietary XOR cipher) with no plaintext fingerprint detectable by content regex. Mirrors Snaffler rules KeepRemoteAccessConfByExtension and KeepRemoteAccessConfByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: RDCMan logonCredentials/password and mRemoteNG Node Password attribute patterns are highly specific to remote access management tools. The OpenVPN directive form is weak and gated strictly with contextual evidence.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials, security, network
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
<logonCredentials[\s\S]{0,150}<password>[\s\S]{0,200}</password>Corroborative evidence keywords
RDCMan, RDGManager, mRemoteNG, OpenVPN, logonCredentials, confCons, rdg, ovpn
Proximity: 300 characters
Should match
<logonCredentials inherit="None"><profileName scope="Local">admin</profileName><userName>Administrator</userName><password>AQAAANCMnd8BFdERjHoAwE</password></logonCredentials>— RDCMan .rdg logonCredentials block with DPAPI-encrypted password<logonCredentials> <userName>svcRDP</userName> <password>P@ssword123!</password> </logonCredentials>— Multiline RDCMan logonCredentials block with plaintext password<Node Name="Server01" Hostname="10.0.0.1" Username="admin" Password="dGVzdHBhc3M=" Protocol="RDP" />— mRemoteNG confCons.xml Node element with base64-encoded Password attributeauth-user-pass credentials.txt— OpenVPN config referencing an auth-user-pass credentials file
Should not match
<logonCredentials inherit="FromParent" />— RDCMan logonCredentials that inherits from parent with no inline password<Node Name="Test" Hostname="example.com" />— mRemoteNG Node element with no Password attribute
Known false positives
- XML files from other tools that coincidentally use logonCredentials or password elements but are not remote desktop configuration files. Mitigation: Require proximity to RDCMan/mRemoteNG-specific elements or .rdg/.rdgm file context evidence.
- OpenVPN config files that reference auth-user-pass with an external credential file rather than inline credentials. Mitigation: The directive itself indicates a credential file is in use; treat as a finding regardless of whether credentials are inline.
- MobaXterm .ini files are not content-detectable by regex. MobaXterm stores session passwords using a proprietary XOR-based obfuscation cipher — the stored values are encoded byte sequences, not plaintext. There is no reliable plaintext credential field fingerprint in MobaXterm.ini content. MobaXterm remains a valid Snaffler filename target (KeepRemoteAccessConfByExtension) but is excluded from this pattern's content-matching regexes. Mitigation: Rely on filename-based detection (MobaXterm.ini, MobaXterm.mxm) rather than content regex for MobaXterm credential discovery.