github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2025-04-01 08:19:19 +02:00
Code Releases Activity

logo color, updated output, added -fullcheck flag

Browse Source 
Added colors to the logo, so winPEAS looks like it should.
Updated the output to filter out erroneous information. Which leads to the -fullcheck flag.
The flag adds all regex searches back into the script to check files/folders for data. However the regexes do return false positives, so use as a last resort.
This commit is contained in:
StevenLtheThird 2023-10-11 15:57:35 -04:00
parent cab71afe3a
commit 4ee91b897a
1 changed files with 325 additions and 274 deletions

599
winPEAS/winPEASps1/winPEAS.ps1

@ -4,26 +4,34 @@
.DESCRIPTION .DESCRIPTION
For the legal enumeration of windows based computers that you either own or are approved to run this script on For the legal enumeration of windows based computers that you either own or are approved to run this script on
.EXAMPLE .EXAMPLE
.\WinPeas.ps1 # Default - normal operation with username/password audit in drives/registry
.\winPeas.ps1
# Full audit - normal operation with APIs / Keys / Tokens
## This will produce false positives ##
.\winPeas.ps1 -FullCheck
# Add Time stamps to each command # Add Time stamps to each command
.\WinPeas.ps1 -TimeStamp .\winPeas.ps1 -TimeStamp
.NOTES .NOTES
Version: 1.0 Version: 1.3
PEASS-ng Original Author: carlospolop PEASS-ng Original Author: carlospolop
WinPEAS.ps1 Author: @RandolphConley winPEAS.ps1 Author: @RandolphConley
Creation Date: 10/4/2022 Creation Date: 10/4/2022
Website: https://github.com/carlospolop/PEASS-ng Website: https://github.com/carlospolop/PEASS-ng
TESTED: PoSh 5,7 TESTED: PoSh 5,7
UNTESTED: Posh 3,4 UNTESTED: PoSh 3,4
INCOMPATIBLE: Posh 2 or lower NOT FULLY COMPATIBLE: PoSh 2 or lower
#> #>
######################## FUNCTIONS ######################## ######################## FUNCTIONS ########################
[CmdletBinding()] [CmdletBinding()]
param( param(
[switch]$TimeStamp [switch]$TimeStamp,
[switch]$FullCheck
) )
# Gather KB from all patches installed # Gather KB from all patches installed
@ -120,251 +128,287 @@ Function Get-ClipBoardText {
} }
} }
function h { Write-Host "##" -ForegroundColor Green } function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) {
for ($i = 0; $i -lt $Text.Length; $i++) {
Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline
}
Write-Host
}
" #Write-Color " ((,.,/((((((((((((((((((((/, */" -Color Green
((,.,/((((((((((((((((((((/, */ Write-Color ",/*,..*(((((((((((((((((((((((((((((((((," -Color Green
,/*,..*(((((((((((((((((((((((((((((((((, Write-Color ",*/((((((((((((((((((/, .*//((//**, .*((((((*" -Color Green
,*/((((((((((((((((((/, .*//((//**, .*((((((* Write-Color "((((((((((((((((", "* *****,,,", "\########## .(* ,((((((" -Color Green, Blue, Green
((((((((((((((((* *****,,,/########## .(* ,(((((( Write-Color "(((((((((((", "/*******************", "####### .(. ((((((" -Color Green, Blue, Green
(((((((((((/* ******************/####### .(. (((((( Write-Color "(((((((", "/******************", "/@@@@@/", "***", "\#######\((((((" -Color Green, Blue, White, Blue, Green
((((((..******************/@@@@@/***/###### /(((((( Write-Color ",,..", "**********************", "/@@@@@@@@@/", "***", ",#####.\/(((((" -Color Green, Blue, White, Blue, Green
,,..**********************@@@@@@@@@@(***,#### ../((((( Write-Color ", ,", "**********************", "/@@@@@+@@@/", "*********", "##((/ /((((" -Color Green, Blue, White, Blue, Green
, ,**********************#@@@@@#@@@@*********##((/ /(((( Write-Color "..(((##########", "*********", "/#@@@@@@@@@/", "*************", ",,..((((" -Color Green, Blue, White, Blue, Green
..(((##########*********/#@@@@@@@@@/*************,,..(((( Write-Color ".(((################(/", "******", "/@@@@@/", "****************", ".. /((" -Color Green, Blue, White, Blue, Green
.(((################(/******/@@@@@#****************.. /(( Write-Color ".((########################(/", "************************", "..*(" -Color Green, Blue, Green
.((########################(/************************..*( Write-Color ".((#############################(/", "********************", ".,(" -Color Green, Blue, Green
.((#############################(/********************.,( Write-Color ".((##################################(/", "***************", "..(" -Color Green, Blue, Green
.((##################################(/***************..( Write-Color ".((######################################(/", "***********", "..(" -Color Green, Blue, Green
.((######################################(************..( Write-Color ".((######", "(,.***.,(", "###################", "(..***", "(/*********", "..(" -Color Green, Green, Green, Green, Blue, Green
.((######(,.***.,(###################(..***(/*********..( Write-Color ".((######*", "(####((", "###################", "((######", "/(********", "..(" -Color Green, Green, Green, Green, Blue, Green
.((######*(#####((##################((######/(********..( Write-Color ".((##################", "(/**********(", "################(**...(" -Color Green, Green, Green
.((##################(/**********(################(**...( Write-Color ".(((####################", "/*******(", "###################.((((" -Color Green, Green, Green
.(((####################/*******(###################.(((( Write-Color ".(((((############################################/ /((" -Color Green
.(((((############################################/ /(( Write-Color "..(((((#########################################(..(((((." -Color Green
..(((((#########################################(..(((((. Write-Color "....(((((#####################################( .((((((." -Color Green
....(((((#####################################( .((((((. Write-Color "......(((((#################################( .(((((((." -Color Green
......(((((#################################( .(((((((. Write-Color "(((((((((. ,(############################(../(((((((((." -Color Green
(((((((((. ,(############################(../(((((((((. Write-Color " (((((((((/, ,####################(/..((((((((((." -Color Green
(((((((((/, ,####################(/..((((((((((. Write-Color " (((((((((/,. ,*//////*,. ./(((((((((((." -Color Green
(((((((((/,. ,*//////*,. ./(((((((((((. Write-Color " (((((((((((((((((((((((((((/" -Color Green
(((((((((((((((((((((((((((/ Write-Color " by CarlosPolop & RandolphConley" -Color Green
by CarlosPolop & RandolphConley
" ######################## VARIABLES ########################
# Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml # Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
# Set these values to true to add them to the regex search by default
$password = $true
$username = $true
$webAuth = $true
$regexSearch = @{} $regexSearch = @{}
$regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
$regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}") if ($password) {
$regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*') $regexSearch.add("Simple Passwords1", "pass.*[=:].+")
$regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}') $regexSearch.add("Simple Passwords2", "pwd.*[=:].+")
$regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}") $regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
$regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}') $regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
$regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}') $regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
$regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}') $regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}')
$regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}') $regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}")
$regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)") $regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
$regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)") $regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}')
$regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)") $regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}')
$regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)") $regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}')
$regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}") $regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
$regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}") $regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+") $regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+") $regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")
$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})") # This does not work correctly
$regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]") #$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
$regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}") $regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+\/]+={0,2}")
$regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
$regexSearch.add("Airtable API Key", "([a-z0-9]{17})") }
$regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]") if ($username) {
$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}") $regexSearch.add("Usernames1", "username[=:].+")
$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]") $regexSearch.add("Usernames2", "user[=:].+")
$regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']") $regexSearch.add("Usernames3", "login[=:].+")
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])") $regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
$regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]") $regexSearch.add("Net user add", "net user .+ /add")
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}") }
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]") if ($apiANDToken) {
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}") $regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?") $regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}") $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+") $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]") $regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
$regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]") $regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
$regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])") $regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
$regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])") $regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
$regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]") $regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
$regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]") $regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
$regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})") $regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
$regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]") $regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
$regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]") $regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
$regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}") $regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
$regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]") $regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]")
$regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]") $regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
$regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]") $regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})")
$regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}") $regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]")
$regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}") $regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]")
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+") $regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}")
$regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})") $regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]")
$regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
$regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]") $regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
$regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})") $regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
$regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]") $regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
$regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}") $regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
$regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}") $regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
$regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]") $regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})")
$regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})") $regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]")
$regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])") $regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}")
$regexSearch.add("Droneci Access Token", "([a-z0-9]{32})") $regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}") $regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}")
$regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}") $regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]")
$regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]") $regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})")
$regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}") $regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])")
$regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}") $regexSearch.add("Droneci Access Token", "([a-z0-9]{32})")
$regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}") $regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}")
$regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}") $regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}")
$regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]") $regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]")
$regexSearch.add("Etsy Access Token", "([a-z0-9]{24})") $regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}")
$regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+") $regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}")
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}") $regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}")
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]") $regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}") $regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
$regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]") $regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
$regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]") $regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
$regexSearch.add("Flickr Access Token", "([a-z0-9]{32})") $regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
$regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}") $regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
$regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}") $regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
$regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})") $regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}")
$regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}") $regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}")
$regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}") $regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})")
$regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}") $regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}")
$regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}") $regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}")
$regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}") $regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}")
$regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}") $regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}")
$regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}") $regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}")
$regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}") $regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}")
$regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}") $regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}")
$regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})") $regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}")
$regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}") $regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}")
$regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]") $regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})")
$regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}") $regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}")
$regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]") $regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
$regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com") $regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}")
$regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+") $regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]")
$regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account") $regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com")
$regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}") $regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+")
$regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}") $regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account")
$regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})") $regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}")
$regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}") $regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}")
$regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}") $regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})")
$regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]") $regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}")
$regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}")
$regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]") $regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]")
$regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]") $regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<") $regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
$regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})") $regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
$regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})") $regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
$regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})") $regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
$regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})") $regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
$regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})") $regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
$regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})") $regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})")
$regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])") $regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})")
$regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]") $regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])")
$regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]") $regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]")
$regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])") $regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]")
$regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})") $regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])")
$regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]") $regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})")
$regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}") $regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]")
$regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'") $regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}")
$regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}") $regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'")
$regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}") $regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}")
$regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})") $regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}")
$regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})") $regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})")
$regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]") $regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})")
$regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}") $regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
$regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}") $regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}")
$regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})") $regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}")
$regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})") $regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})")
$regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]") $regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})")
$regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})") $regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
$regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})") $regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})")
$regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})") $regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})")
$regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}") $regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})")
$regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]") $regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}")
$regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
$regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}') $regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}") $regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
$regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]") $regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}")
$regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}") $regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]")
$regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})") $regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}")
$regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}") $regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})")
$regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})") $regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}")
$regexSearch.add("Plaid Client ID", "([a-z0-9]{24})") $regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
$regexSearch.add("Plaid Secret key", "([a-z0-9]{30})") $regexSearch.add("Plaid Client ID", "([a-z0-9]{24})")
$regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})") $regexSearch.add("Plaid Secret key", "([a-z0-9]{30})")
$regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}") $regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})")
$regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-") $regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}")
$regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}") $regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-")
$regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}") $regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}")
$regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]") $regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}")
$regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})") $regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]")
$regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}") $regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})")
$regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}") $regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}")
$regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})") $regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}")
$regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})") $regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
$regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}") $regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})")
$regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}") $regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}")
$regexSearch.add("Sentry Access Token", "([a-f0-9]{64})") $regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}")
$regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}") $regexSearch.add("Sentry Access Token", "([a-f0-9]{64})")
$regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})") $regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}")
$regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)") $regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})")
$regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?") $regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)")
$regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}") $regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?")
$regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]") $regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}")
$regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}") $regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]")
$regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}") $regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}")
$regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}") $regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}")
$regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}") $regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}")
$regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}") $regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}")
$regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})") $regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}")
$regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})") $regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})")
$regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}") $regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})")
$regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})") $regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}")
$regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]") $regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})")
$regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}") $regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]")
$regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]") $regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}")
$regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}") $regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
$regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})") $regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}")
$regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]") $regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})")
$regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}") $regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]")
$regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}") $regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}")
$regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]") $regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}")
$regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}") $regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
$regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})") $regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}")
$regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})") $regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})")
$regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})") $regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})")
$regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]") $regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
$regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})") $regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
$regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]") $regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]") $regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
$regexSearch.add("Basic Auth", "//(.+):(.+)@") }
$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
$regexSearch.add("Config Secrets", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config") if ($webAuth) {
$regexSearch.add("Simple Passwords", "passw.*[=:].+") $regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]") $regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
$regexSearch.add("Usernames", "username.*[=:].+") $regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
$regexSearch.add("Net user add", "net user .+ /add") $regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
$regexSearch.add("Basic Auth", "//(.+):(.+)@")
$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
$regexSearch.add("Config Secrets (Passwd / Credentials)", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
}
$regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") $regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")
$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}") $Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
######################## INTRODUCTION ######################## ######################## INTRODUCTION ########################
$stopwatch = [system.diagnostics.stopwatch]::StartNew() $stopwatch = [system.diagnostics.stopwatch]::StartNew()
if($FullCheck){
Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**"
}
# Introduction # Introduction
Write-Host -ForegroundColor cyan "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script" Write-Host -BackgroundColor Red -ForegroundColor White "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
Write-Host -ForegroundColor cyan "WinPEAS should be used for authorized penetration testing and/or educational purposes only" Write-Host -BackgroundColor Red -ForegroundColor White "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
Write-Host -ForegroundColor cyan "Any misuse of this software will not be the responsibility of the author or of any other collaborator" Write-Host -BackgroundColor Red -ForegroundColor White "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
Write-Host -ForegroundColor cyan "Use it at your own networks and/or with the network owner's explicit permission" Write-Host -BackgroundColor Red -ForegroundColor White "Use it at your own networks and/or with the network owner's explicit permission"
# Color Scheme Introduction # Color Scheme Introduction
@ -1352,9 +1396,46 @@ if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:" Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:"
Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check in Files/Folders"
# Looking through the entire computer for passwords
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time."
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
# Also looks for MCaffee site list while looping through the drives.
$Drives.Root | ForEach-Object {
$Drive = $_
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {
$path = $_
if ($Path.FullName -like '*Lang*') {
#Write-Host "$($_.FullName) found!" -ForegroundColor red
}
else {
if ($path.Length -gt 0) {
# Write-Host -ForegroundColor Blue "Path name matches extension search: $path"
}
if ($path -like "*SiteList.xml") {
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
}
$regexSearch.keys | ForEach-Object {
$passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1
if ($passwordFound) {
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
Write-Host $Path.FullName
Write-Host -ForegroundColor Blue "$_ triggered"
Write-Host $passwordFound -ForegroundColor Red
}
}
}
}
}
Write-Host -ForegroundColor Blue "=========|| Registry Password Check" Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
# Looking through the entire registry for passwords # Looking through the entire registry for passwords
Write-Host "Checking over 200 different password regex types."
Write-Host "This will take some time. Won't you have a pepsi?" Write-Host "This will take some time. Won't you have a pepsi?"
$regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\") $regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
# Search for the string in registry values and properties # Search for the string in registry values and properties
@ -1382,33 +1463,3 @@ foreach ($r in $regPath) {
if ($TimeStamp) { TimeElapsed } if ($TimeStamp) { TimeElapsed }
Write-Host "Finished $r" Write-Host "Finished $r"
} }
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check in Files"
# Looking through the entire computer for passwords
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
# Also looks for MCaffee site list while looping through the drives.
$Drives.Root | ForEach-Object {
$Drive = $_
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue | ForEach-Object {
$path = $_
if ($path -like "*SiteList.xml") {
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
}
$regexSearch.keys | ForEach-Object {
$password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
if ($password) {
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
Write-Host $Path.FullName
Write-Host $password -ForegroundColor Red
}
}
}
}