From 7202bb93737f01dbbbd2015b3c6bcaa238634582 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Thu, 26 Jun 2025 21:24:07 -0700 Subject: [PATCH] Added rules for twitter, wireguard, onepassword, droneci --- data/rules/droneci.yml | 42 ++++++++++++++++++++++++++++++ data/rules/odbc.yml | 37 -------------------------- data/rules/onepassword.yml | 53 ++++++++++++++++++++++++++++++++++++++ data/rules/twitter.yml | 38 +++++++++++++++++++++++++++ data/rules/wireguard.yml | 35 +++++++++++++++++++++++++ 5 files changed, 168 insertions(+), 37 deletions(-) create mode 100644 data/rules/droneci.yml create mode 100644 data/rules/onepassword.yml create mode 100644 data/rules/twitter.yml create mode 100644 data/rules/wireguard.yml diff --git a/data/rules/droneci.yml b/data/rules/droneci.yml new file mode 100644 index 0000000..8e26b66 --- /dev/null +++ b/data/rules/droneci.yml @@ -0,0 +1,42 @@ +rules: + - name: DroneCI Access Token + id: kingfisher.drone.1 + pattern: | + (?xi) + \b + (?:drone|droneci|drone[_-]) + (?:.|[\n\r]){0,16}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,16}? + \b + ( + ey[A-Za-z0-9_-]{30,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,} + | + [a-f0-9]{32,64} + ) + \b + min_entropy: 3.5 + confidence: medium + examples: + - export DRONE_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZGVtbyJ9.GEPa7kCDdw4nruBKgLkQF1EGMZVvJ1kM4sMp9p8a1x4 + - drone_token = fe8c402a51e6629aa1f43a4234afee81 + validation: + type: Http + content: + request: + method: GET + url: https://cloud.drone.io/api/user + headers: + Authorization: "Bearer {{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"email"'] + match_all_words: true + references: + - https://docs.drone.io/api/overview/ + - https://0-8-0.docs.drone.io/api-authentication/ + - https://docs.drone.io/server/user/machine/ diff --git a/data/rules/odbc.yml b/data/rules/odbc.yml index df536ea..6593f92 100644 --- a/data/rules/odbc.yml +++ b/data/rules/odbc.yml @@ -28,43 +28,6 @@ rules: adoConn.Open("Provider=SQLOLEDB.1;User ID=specialbill_user; " & "Password =specialbill_user;Initial Catalog=SpecialBill_PROD;Data Source=uszdba01;") - | "driver={SQL Server};server=(#{datastore['DBHOST']});database=#{datastore['DBNAME']};uid=#{datastore['DBUID']};pwd=#{datastore['DBPASSWORD']}" - negative_examples: - - 'def login(self, user = "", password = "", domain = ""):' - - | - if datastore['VERBOSE'] - text = '' - text << "User=#{username}, " - text << "Password=#{password}, " - text << "Domain=#{domain}, " - text << "Full Name=#{full_name}, " - text << "E-mail=#{e_mail}" - print_good(text) - - | - if (len < ulen + wlen + 2) - break; - user = (char *) (p + 1); - pwd = (char *) (p + ulen + 2); - p += ulen + wlen + 2; - - | - /* Set default values */ - server = xmalloc(sizeof(*server)); - server->user = "anonymous"; - server->password = "busybox@"; - - | - System.out.println("Here we go..."); - String url = "jdbc:msf:sql://127.0.0.1:8080/sample"; - String userid = "userid"; - String password = "password"; - - | - char *domain = NULL; - char *user = NULL; - char *password = NULL; - - | - references: - https://docs.aws.amazon.com/redshift/latest/mgmt/configure-odbc-connection.html - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/api/connection-strings/kusto diff --git a/data/rules/onepassword.yml b/data/rules/onepassword.yml new file mode 100644 index 0000000..57f0980 --- /dev/null +++ b/data/rules/onepassword.yml @@ -0,0 +1,53 @@ +rules: + - name: 1Password Service-Account Token + id: kingfisher.1password.2 + pattern: | + (?xi) + \b + ( + ops_eyj[A-Za-z0-9_-]{80,500} + )\b + min_entropy: 4.0 + confidence: medium + examples: + - export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJzaWduSW5BZGRyZXNzIjoibXkuMXBhc3N3b3JkLmV1IiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6NjUwMDAwLCJzYWx0IjoiUUNYYy1wTDUtakdCaDlTVjFHb1lpUSJ9LCJlbWFpbCI6ImF2ZGxyZ3JramU3dm9AMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmV1Iiwic3JwWCI6IjExNjFkMmYwNTQ3NDgxNTBmOTEwOWMxZDEzYTllZjFiNGY0ZjZiYzhlNTFlNWZkMWI5NmI5ZjQwZjY3NWEyNTciLCJtdWsiOnsiYWxnIjoiQTI1Nkd1111111111 + validation: + type: Http + content: + request: + method: GET + url: https://events.1password.com/api/v2/auth/introspect + headers: + Authorization: "Bearer {{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"features"'] + match_all_words: true + references: + - https://developer.1password.com/docs/service-accounts/security + - https://developer.1password.com/docs/service-accounts/get-started + - https://developer.1password.com/docs/cli/environment-variables + - https://developer.1password.com/docs/events-api/reference + + - name: 1Password Account Secret Key + id: kingfisher.1password.2 + pattern: | + (?xi) + \b + ( + A[0-9]-[A-Z0-9]{6}-[A-Z0-9]{6}-[A-Z0-9]{5}(?:-[A-Z0-9]{5}){3} + ) + \b + min_entropy: 3.8 + confidence: medium + prevalidated: true + examples: + - A3-R69SQK-TZ9KPW-8MXYD-6W373-V7GHJ-EDJQW + - A3-ASWWYB-798JRY-LJVD4-23DC2-86TVM-H43EB + references: + - https://support.1password.com/secret-key-security/ + - https://developer.1password.com/files/1password-white-paper.pdf diff --git a/data/rules/twitter.yml b/data/rules/twitter.yml new file mode 100644 index 0000000..311c0e9 --- /dev/null +++ b/data/rules/twitter.yml @@ -0,0 +1,38 @@ +rules: + - name: X / Twitter Bearer Token (App-only) + id: kingfisher.twitter.bearer.1 + pattern: | + (?xi) + \b + (?:twitter|x.com|twtr)? + (?:.|[\n\r]){0,16}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,16}? + \b + ( + A{10,}[A-Za-z0-9_\-]{40,200} + ) + \b + min_entropy: 4.0 + confidence: medium + examples: + - Authorization: Bearer AAAAAAAAAAAAAAAAAAAAAAL6NcQAAAAABkCyZ4E5jEXAMPLE0wuJbhVN8 + - TWITTER_BEARER="AAAAAAAAAAAAAAAAAAAAAAAYk9SClAAAAAAAfkwAAAABAAAAA" + validation: + type: Http + content: + request: + method: GET + url: https://api.x.com/1.1/application/rate_limit_status.json + headers: + Authorization: "Bearer {{ TOKEN }}" + Accept: application/json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"rate_limit_context"'] + match_all_words: true + references: + - https://developer.x.com/en/docs/x-api/v1/developer-utilities/rate-limit-status/api-reference/get-application-rate_limit_status diff --git a/data/rules/wireguard.yml b/data/rules/wireguard.yml new file mode 100644 index 0000000..70aa1ae --- /dev/null +++ b/data/rules/wireguard.yml @@ -0,0 +1,35 @@ +rules: + - name: WireGuard Private Key + id: kingfisher.wireguard.1 + pattern: PrivateKey\s*=\s*([A-Za-z0-9+/]{43}=) + min_entropy: 3.3 + confidence: medium + examples: + - | + [Interface] + Address = 10.200.200.3/32 + PrivateKey = AsaFot43bfs1fEWjvtty+rGcjh3rP1H6sug1l3u19ix= + DNS = 8.8.8.8 + references: + - https://www.wireguard.com/quickstart/ + - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html + - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd6 + categories: [fuzzy, secret] + + - name: WireGuard Preshared Key + id: kingfisher.wireguard.2 + pattern: PresharedKey\s*=\s*([A-Za-z0-9+/]{43}=) + min_entropy: 3.3 + confidence: medium + examples: + - | + [Peer] + PublicKey = [Server's public key] + PresharedKey = uRsfsZ2Ts1rach4Zv3hhwcx6wa5fuIo2u3w7sa+7j81= + AllowedIPs = 0.0.0.0/0, ::/0 + Endpoint = [Server Addr:Server Port] + references: + - https://www.wireguard.com/quickstart/ + - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html + - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd6 + categories: [fuzzy, secret] \ No newline at end of file