[
{ "part": "filename", "type": "regex", "pattern": ".*_rsa", "caption": "Private SSH key", "description": null }, { "part": "filename", "type": "regex", "pattern": ".*_dsa", "caption": "Private SSH key", "description": null }, { "part": "filename", "type": "regex", "pattern": ".*_ed25519", "caption": "Private SSH key", "description": null }, { "part": "filename", "type": "regex", "pattern": ".*_ecdsa", "caption": "Private SSH key", "description": null }, { "part": "extension", "type": "match", "pattern": "pem", "caption": "Potential cryptographic private key", "description": null }, { "part": "extension", "type": "match", "pattern": "ppk", "caption": "Potential cryptographic private key", "description": null }, { "part": "extension", "type": "regex", "pattern": "key(pair)?", "caption": "Potential cryptographic private key", "description": null }, { "part": "extension", "type": "match", "pattern": "pkcs12", "caption": "Potential cryptographic key bundle", "description": null }, { "part": "extension", "type": "match", "pattern": "pfx", "caption": "Potential cryptographic key bundle", "description": null }, { "part": "extension", "type": "match", "pattern": "p12", "caption": "Potential cryptographic key bundle", "description": null }, { "part": "extension", "type": "match", "pattern": "asc", "caption": "Potential cryptographic key bundle", "description": null }, { "part": "filename", "type": "match", "pattern": "otr.private_key", "caption": "Pidgin OTR private key", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?(bash_|zsh_|z)?history", "caption": "Shell command history file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?mysql_history", "caption": "MySQL client command history file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?psql_history", "caption": "PostgreSQL client command history file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?irb_history", "caption": "Ruby IRB console history file", "description": null }, { "part": "path", "type": "regex", "pattern": "\\.?purple\\/accounts\\.xml", "caption": "Pidgin chat client account configuration file", "description": null }, { "part": "path", "type": "regex", "pattern": "\\.?xchat2?\\/servlist_?\\.conf", "caption": "Hexchat/XChat IRC client server list configuration file", "description": null }, { "part": "path", "type": "regex", "pattern": "\\.?irssi\\/config", "caption": "Irssi IRC client configuration file", "description": null }, { "part": "path", "type": "regex", "pattern": "\\.?recon-ng\\/keys\\.db", "caption": "Recon-ng web reconnaissance framework API key database", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?dbeaver-data-sources.xml", "caption": "DBeaver SQL database manager configuration file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?muttrc", "caption": "Mutt e-mail client configuration file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?s3cfg", "caption": "S3cmd configuration file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?trc", "caption": "T command-line Twitter client configuration file", "description": null }, { "part": "extension", "type": "match", "pattern": "ovpn", "caption": "OpenVPN client configuration file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?gitrobrc", "caption": "Well, this is awkward... Gitrob configuration file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?(bash|zsh)rc", "caption": "Shell configuration file", "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys." }, { "part": "filename", "type": "regex", "pattern": "\\.?(bash_|zsh_)?profile", "caption": "Shell profile configuration file", "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys." }, { "part": "filename", "type": "regex", "pattern": "\\.?(bash_|zsh_)?aliases", "caption": "Shell command alias configuration file", "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys." }, { "part": "filename", "type": "match", "pattern": "secret_token.rb", "caption": "Ruby On Rails secret token configuration file", "description": "If the Rails secret token is known, it can allow for remote code execution. (http://www.exploit-db.com/exploits/27527/)" }, { "part": "filename", "type": "match", "pattern": "omniauth.rb", "caption": "OmniAuth configuration file", "description": "The OmniAuth configuration file might contain client application secrets." }, { "part": "filename", "type": "match", "pattern": "carrierwave.rb", "caption": "Carrierwave configuration file", "description": "Can contain credentials for online storage systems such as Amazon S3 and Google Storage." }, { "part": "filename", "type": "match", "pattern": "schema.rb", "caption": "Ruby On Rails database schema file", "description": "Contains information on the database schema of a Ruby On Rails application." }, { "part": "filename", "type": "match", "pattern": "database.yml", "caption": "Potential Ruby On Rails database configuration file", "description": "Might contain database credentials." }, { "part": "filename", "type": "match", "pattern": "settings.py", "caption": "Django configuration file", "description": "Might contain database credentials, online storage system credentials, secret keys, etc." }, { "part": "filename", "type": "regex", "pattern": "(.*)?config(\\.inc)?\\.php", "caption": "PHP configuration file", "description": "Might contain credentials and keys." }, { "part": "extension", "type": "match", "pattern": "kdb", "caption": "KeePass password manager database file", "description": null }, { "part": "extension", "type": "match", "pattern": "agilekeychain", "caption": "1Password password manager database file", "description": null }, { "part": "extension", "type": "match", "pattern": "keychain", "caption": "Apple Keychain database file", "description": null }, { "part": "extension", "type": "regex", "pattern": "key(store|ring)", "caption": "GNOME Keyring database file", "description": null }, { "part": "extension", "type": "match", "pattern": "log", "caption": "Log file", "description": "Log files might contain information such as references to secret HTTP endpoints, session IDs, user information, passwords and API keys." }, { "part": "extension", "type": "match", "pattern": "pcap", "caption": "Network traffic capture file", "description": null }, { "part": "extension", "type": "regex", "pattern": "sql(dump)?", "caption": "SQL dump file", "description": null }, { "part": "extension", "type": "match", "pattern": "gnucash", "caption": "GnuCash database file", "description": null }, { "part": "filename", "type": "regex", "pattern": "backup", "caption": "Contains word: backup", "description": null }, { "part": "filename", "type": "regex", "pattern": "dump", "caption": "Contains word: dump", "description": null }, { "part": "filename", "type": "regex", "pattern": "password", "caption": "Contains word: password", "description": null }, { "part": "filename", "type": "regex", "pattern": "private.*key", "caption": "Contains words: private, key", "description": null }, { "part": "filename", "type": "match", "pattern": "jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml", "caption": "Jenkins publish over SSH plugin file", "description": null }, { "part": "filename", "type": "match", "pattern": "credentials.xml", "caption": "Potential Jenkins credentials file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?htpasswd", "caption": "Apache htpasswd file", "description": null }, { "part": "filename", "type": "regex", "pattern": "\\.?netrc", "caption": "Configuration file for auto-login process", "description": "Might contain username and password." }, { "part": "extension", "type": "match", "pattern": "kwallet", "caption": "KDE Wallet Manager database file", "description": null }, { "part": "filename", "type": "match", "pattern": "LocalSettings.php", "caption": "Potential MediaWiki configuration file", "description": null }, { "part": "extension", "type": "match", "pattern": "tblk", "caption": "Tunnelblick VPN configuration file", "description": null }, { "part": "path", "type": "regex", "pattern": "\\.?gem/credentials", "caption": "Rubygems credentials file", "description": "Might contain API key for a rubygems.org account." }, { "part": "filename", "type": "regex", "pattern": ".*\\.pubxml(\\.user)?", "caption": "Potential MSBuild publish profile", "description": null }, { "part": "filename", "type": "match", "pattern": ".env", "caption": "dotenv", "description": "Environment file that contains sensitive data" }
]