Credentials In File Detected


Detect known ceredential patterns inside data indexed in Splunk.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring, Compliance


Compliance, Data Exfiltration, Zero Trust

Security Impact

Adversaries may dump credentials into local files using OS Credential Dumping or credentials might have been left in files by mistake. In cloud environments, authenticated user credentials are often stored in local configuration and credential files. This search looks for common credential patterns in log files in Splunk using a list of regexes in a lookup file.

Alert Volume


SPL Difficulty



Stage 1


Credential Access

MITRE ATT&CK Techniques

Unsecured Credentials
Exploitation for Credential Access
Credentials In Files
Private Keys

MITRE Threat Groups

Stolen Pencil

Kill Chain Phases

Actions On Objectives

Data Sources

Any Splunk Logs

   How to Implement

By default this search looks for known log file dump locations but you might ewant to include or exclude certain location before deploying. You can also add/modify/disable the regex patterns in the lookup file credential_patterns.csv in order to get a better coverage or exclude false positive matches. Not that this search is very resource heavy and will run very slow. If you enable this search make sure that you keep the time window short or the schedule to be infrequent.

   Known False Positives

This search could trigger false positive if some of the credentials patterns match other strings that might exist in the files. If that is the case in your environment you can modify the lookup with the patterns to include or exclude certain patterns.

   How To Respond

This alert triggers when clear text credentials are found inside Splunk. It might indicate a mistake or an adversary performing credential dumping activities. Recommended next steps are to investigate why the credentials are in the file and how the file ended up in Splunk.


Credentials In File Detected Help

The basic idea behind this search is to take a set of known credential patterns from a lookup file (credential_patterns.csv) and dynamically build up a statement for the rex command. This is a little known technique with SPL and has wide ranging applicability beyond this detection search. If a match is found an additional round of matching occurs to find in which field you found the offending value. The last lines of the search is there to make it easy to read for the analyst.

SPL for Credentials In File Detected

Live Data

First we select a few sources that might contain dumped credentials.