Unattend.xml Administrator/AutoLogon Password
Detects plaintext passwords stored in Windows unattend.xml answer files, specifically the AdministratorPassword and AutoLogon <Value> XML elements used during Windows automated setup. These files frequently contain Administrator or auto-logon credentials in cleartext and represent a high severity finding when discovered on file shares or in software repositories. Mirrors Snaffler rule KeepUnattendXmlRegexRed.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the XML element structure (<AdministratorPassword> or <AutoLogon> containing a <Value> child with non-empty content) is highly specific to Windows unattend answer files. False positives from XML fragments sharing this exact nesting are extremely rare.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act (CFAA), Cybersecurity Maturity Model Certification (CMMC)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials, security, configuration
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
<AdministratorPassword>[\s\S]{0,30}<Value>[^<]{1,200}</Value>Corroborative evidence keywords
urn:schemas-microsoft-com:unattend, UserAccounts, AutoLogon, cpassword, LocalAccounts, PlainText, unattend.xml, autounattend.xml
Proximity: 300 characters
Should match
<UserAccounts><AdministratorPassword><Value>P@ssw0rd123</Value><PlainText>true</PlainText></AdministratorPassword></UserAccounts>— AdministratorPassword with plaintext value and PlainText element<AdministratorPassword> <Value>S3cur3P@ss!</Value> </AdministratorPassword>— AdministratorPassword with newline-separated Value element<AutoLogon><Value>WinSetup2024!</Value></AutoLogon>— AutoLogon block with Value element directly nested<AutoLogon><Enabled>1</Enabled><Value>MyLogonPass99</Value></AutoLogon>— AutoLogon with Enabled sibling before Value (within 30 char gap)<AdministratorPassword><Value>ComplexP@ss#1</Value></AdministratorPassword>— Minimal AdministratorPassword with non-empty value
Should not match
<AdministratorPassword><Value></Value></AdministratorPassword>— Empty Value element should not match<SomeOtherElement><Value>P@ssw0rd</Value></SomeOtherElement>— Value element under unrelated parent element should not matchAdministratorPassword Value P@ssword plain text— Unstructured text with credential keywords but no XML structure
Known false positives
- Sanitised or redacted unattend.xml files where the Value element has been replaced with a placeholder such as "REDACTED" or "*" may still match; review actual value content. Mitigation: Examine the matched Value content — placeholder strings are typically short ASCII tokens rather than real passwords.
- Schema documentation or XML examples referencing the AdministratorPassword element structure without real credential values. Mitigation: Check surrounding file context; documentation files typically lack sibling elements such as <PlainText> or a full <UserAccounts> block.