From 5e2261ad0f7d11c28eaa8f0473784075c6b2e105 Mon Sep 17 00:00:00 2001
From: Takashi Matsumoto <77025706+t-mtsmt@users.noreply.github.com>
Date: Mon, 30 Mar 2026 22:48:55 +0900
Subject: [PATCH 1/2] Detect passwords in CMD set statements

---
 .../DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
index 9cd8ef40..5e7db52c 100644
--- a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
@@ -7,6 +7,7 @@ MatchLocation = "FileContentAsString"
 WordListType = "Regex"
 MatchLength = 0
 WordList = ["passwo?r?d\\s*=\\s*[\\'\\\"][^\\'\\\"]....",
+"set\\s*\\"?\\w*passwo?r?d=....",
 "schtasks.{1,300}(/rp\\s|/p\\s)",
 "net user ",
 "psexec .{0,100} -p ",

From a2dcb40f701d1f05b1de6bf807654adb40d37ca8 Mon Sep 17 00:00:00 2001
From: Takashi Matsumoto <77025706+t-mtsmt@users.noreply.github.com>
Date: Tue, 31 Mar 2026 00:44:22 +0900
Subject: [PATCH 2/2] Fix escaping in CMD set password detection regex

---
 .../FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
index 5e7db52c..17c727a1 100644
--- a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/Cmd/KeepCmdCredentials.toml
@@ -7,11 +7,11 @@ MatchLocation = "FileContentAsString"
 WordListType = "Regex"
 MatchLength = 0
 WordList = ["passwo?r?d\\s*=\\s*[\\'\\\"][^\\'\\\"]....",
-"set\\s*\\"?\\w*passwo?r?d=....",
+"set\\s*\\\"?\\w*passwo?r?d=....",
 "schtasks.{1,300}(/rp\\s|/p\\s)",
 "net user ",
 "psexec .{0,100} -p ",
 "net use .{0,300} /user:",
 "cmdkey "
 ]
-Triage = "Red"
\ No newline at end of file
+Triage = "Red"