A personal collection of custom sandflies. They likely need tuning for your particular environment. The credential_leak sandflies look for typical patterns where processes or shell history contain credentials; typical places where a threat actor already present on a system will look to further their lateral movement.
Looks through the current process list to see if command line arguments leak credentials.
Looks through cron and at jobs to see if commands line arguments leak credentials (become visible in the process list).
Looks through users' .bash_history files to see if there is a credential leak.
I have no affiliation with Sandfly Security (https://sandflysecurity.com). I simply like their product.
BSD Simplified 2-clause license.