Merge pull request #397 from RandolphConley/master

code update ; Added search / function for excel files
Update winPEAS.ps1
2025-12-15 21:09:02 +00:00 · 2023-10-24 12:34:02 +02:00 · 2023-10-13 17:46:43 -04:00 · 2023-10-13 17:43:05 -04:00 · 2023-10-13 17:42:51 -04:00 · 2023-10-13 17:39:54 -04:00
2 changed files with 434 additions and 278 deletions
--- a/linPEAS/builder/linpeas_parts/9_interesting_files.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files.sh
@@ -239,14 +239,14 @@ fi
 ##-- IF) Passwords in history files
 if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then
  print_2title "Searching passwords in history files"
-  printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
+  printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -EiH "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done
  echo ""
 fi

 ##-- IF) Passwords in config PHP files
 if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then
  print_2title "Searching passwords in config PHP files"
-  printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
+  printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiIH "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done
  echo ""
 fi

--- a/winPEAS/winPEASps1/winPEAS.ps1
+++ b/winPEAS/winPEASps1/winPEAS.ps1
@@ -4,26 +4,38 @@
 .DESCRIPTION
  For the legal enumeration of windows based computers that you either own or are approved to run this script on
 .EXAMPLE
-  .\WinPeas.ps1
+  # Default - normal operation with username/password audit in drives/registry
+  .\winPeas.ps1
+
+  # Include Excel files in search: .xls, .xlsx, .xlsm
+  .\winPeas.ps1 -Excel
+
+  # Full audit - normal operation with APIs / Keys / Tokens
+  ## This will produce false positives ## 
+  .\winPeas.ps1 -FullCheck 
+
  # Add Time stamps to each command
-  .\WinPeas.ps1 -TimeStamp
+  .\winPeas.ps1 -TimeStamp
+
 .NOTES
-  Version:                    1.0
+  Version:                    1.3
  PEASS-ng Original Author:   carlospolop
-  WinPEAS.ps1 Author:         @RandolphConley
+  winPEAS.ps1 Author:         @RandolphConley
  Creation Date:              10/4/2022
  Website:                    https://github.com/carlospolop/PEASS-ng

  TESTED: PoSh 5,7
-  UNTESTED: Posh 3,4
-  INCOMPATIBLE: Posh 2 or lower
+  UNTESTED: PoSh 3,4
+  NOT FULLY COMPATIBLE: PoSh 2 or lower
 #>

 ######################## FUNCTIONS ########################

 [CmdletBinding()]
 param(
-  [switch]$TimeStamp
+  [switch]$TimeStamp,
+  [switch]$FullCheck,
+  [switch]$Excel
 )

 # Gather KB from all patches installed
@@ -108,7 +120,6 @@ Function UnquotedServicePathCheck {
 }

 function TimeElapsed { Write-Host "Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)" }
-
 Function Get-ClipBoardText {
  Add-Type -AssemblyName PresentationCore
  $text = [Windows.Clipboard]::GetText()
@@ -120,251 +131,369 @@ Function Get-ClipBoardText {
    
  }
 }
-function h { Write-Host "##" -ForegroundColor Green }

-"
-    ((,.,/((((((((((((((((((((/,  */
-,/*,..*(((((((((((((((((((((((((((((((((,
-,*/((((((((((((((((((/,  .*//((//**, .*((((((*
-((((((((((((((((* *****,,,/########## .(* ,((((((
-(((((((((((/* ******************/####### .(. ((((((
-((((((..******************/@@@@@/***/###### /((((((
-,,..**********************@@@@@@@@@@(***,#### ../(((((
-, ,**********************#@@@@@#@@@@*********##((/ /((((
-..(((##########*********/#@@@@@@@@@/*************,,..((((
-.(((################(/******/@@@@@#****************.. /((
-.((########################(/************************..*(
-.((#############################(/********************.,(
-.((##################################(/***************..(
-.((######################################(************..(
-.((######(,.***.,(###################(..***(/*********..(
-.((######*(#####((##################((######/(********..(
-.((##################(/**********(################(**...(
-.(((####################/*******(###################.((((
-.(((((############################################/  /((
-..(((((#########################################(..(((((.
-....(((((#####################################( .((((((.
-......(((((#################################( .(((((((.
-(((((((((. ,(############################(../(((((((((.
-  (((((((((/,  ,####################(/..((((((((((.
-        (((((((((/,.  ,*//////*,. ./(((((((((((.
-           (((((((((((((((((((((((((((/
-          by CarlosPolop & RandolphConley
-"                  
+Function Search-Excel {
+  [cmdletbinding()]
+  Param (
+      [parameter(Mandatory, ValueFromPipeline)]
+      [ValidateScript({
+          Try {
+              If (Test-Path -Path $_) {$True}
+              Else {Throw "$($_) is not a valid path!"}
+          }
+          Catch {
+              Throw $_
+          }
+      })]
+      [string]$Source,
+      [parameter(Mandatory)]
+      [string]$SearchText
+      #You can specify wildcard characters (*, ?)
+  )
+  $Excel = New-Object -ComObject Excel.Application
+  Try {
+      $Source = Convert-Path $Source
+  }
+  Catch {
+      Write-Warning "Unable locate full path of $($Source)"
+      BREAK
+  }
+  $Workbook = $Excel.Workbooks.Open($Source)
+  ForEach ($Worksheet in @($Workbook.Sheets)) {
+      # Find Method https://msdn.microsoft.com/en-us/vba/excel-vba/articles/range-find-method-excel
+      $Found = $WorkSheet.Cells.Find($SearchText)
+      If ($Found) {
+        try{  
+          # Address Method https://msdn.microsoft.com/en-us/vba/excel-vba/articles/range-address-property-excel
+          Write-Host "Pattern: '$SearchText' found in $source" -ForegroundColor Blue
+          $BeginAddress = $Found.Address(0,0,1,1)
+          #Initial Found Cell
+          [pscustomobject]@{
+              WorkSheet = $Worksheet.Name
+              Column = $Found.Column
+              Row =$Found.Row
+              TextMatch = $Found.Text
+              Address = $BeginAddress
+          }
+          Do {
+              $Found = $WorkSheet.Cells.FindNext($Found)
+              $Address = $Found.Address(0,0,1,1)
+              If ($Address -eq $BeginAddress) {
+                Write-host "Address is same as Begin Address"
+                  BREAK
+              }
+              [pscustomobject]@{
+                  WorkSheet = $Worksheet.Name
+                  Column = $Found.Column
+                  Row =$Found.Row
+                  TextMatch = $Found.Text
+                  Address = $Address
+              }                 
+          } Until ($False)
+        }
+        catch {
+          # Null expression in Found
+        }
+      }
+      #Else {
+      #    Write-Warning "[$($WorkSheet.Name)] Nothing Found!"
+      #}
+  }
+  try{
+  $workbook.close($False)
+  [void][System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$excel)
+  [gc]::Collect()
+  [gc]::WaitForPendingFinalizers()
+  }
+  catch{
+    #Usually an RPC error
+  }
+  Remove-Variable excel -ErrorAction SilentlyContinue
+}
+
+function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) {
+  for ($i = 0; $i -lt $Text.Length; $i++) {
+    Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline
+  }
+  Write-Host
+}
+
+#Write-Color "    ((,.,/((((((((((((((((((((/,  */" -Color Green
+Write-Color ",/*,..*(((((((((((((((((((((((((((((((((," -Color Green
+Write-Color ",*/((((((((((((((((((/,  .*//((//**, .*((((((*" -Color Green
+Write-Color "((((((((((((((((", "* *****,,,", "\########## .(* ,((((((" -Color Green, Blue, Green
+Write-Color "(((((((((((", "/*******************", "####### .(. ((((((" -Color Green, Blue, Green
+Write-Color "(((((((", "/******************", "/@@@@@/", "***", "\#######\((((((" -Color Green, Blue, White, Blue, Green
+Write-Color ",,..", "**********************", "/@@@@@@@@@/", "***", ",#####.\/(((((" -Color Green, Blue, White, Blue, Green
+Write-Color ", ,", "**********************", "/@@@@@+@@@/", "*********", "##((/ /((((" -Color Green, Blue, White, Blue, Green
+Write-Color "..(((##########", "*********", "/#@@@@@@@@@/", "*************", ",,..((((" -Color Green, Blue, White, Blue, Green
+Write-Color ".(((################(/", "******", "/@@@@@/", "****************", ".. /((" -Color Green, Blue, White, Blue, Green
+Write-Color ".((########################(/", "************************", "..*(" -Color Green, Blue, Green
+Write-Color ".((#############################(/", "********************", ".,(" -Color Green, Blue, Green
+Write-Color ".((##################################(/", "***************", "..(" -Color Green, Blue, Green
+Write-Color ".((######################################(/", "***********", "..(" -Color Green, Blue, Green
+Write-Color ".((######", "(,.***.,(", "###################", "(..***", "(/*********", "..(" -Color Green, Green, Green, Green, Blue, Green
+Write-Color ".((######*", "(####((", "###################", "((######", "/(********", "..(" -Color Green, Green, Green, Green, Blue, Green
+Write-Color ".((##################", "(/**********(", "################(**...(" -Color Green, Green, Green
+Write-Color ".(((####################", "/*******(", "###################.((((" -Color Green, Green, Green
+Write-Color ".(((((############################################/  /((" -Color Green
+Write-Color "..(((((#########################################(..(((((." -Color Green
+Write-Color "....(((((#####################################( .((((((." -Color Green
+Write-Color "......(((((#################################( .(((((((." -Color Green
+Write-Color "(((((((((. ,(############################(../(((((((((." -Color Green
+Write-Color "  (((((((((/,  ,####################(/..((((((((((." -Color Green
+Write-Color "        (((((((((/,.  ,*//////*,. ./(((((((((((." -Color Green
+Write-Color "           (((((((((((((((((((((((((((/" -Color Green
+Write-Color "          by CarlosPolop & RandolphConley" -Color Green
+
+######################## VARIABLES ########################

 # Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
+
+# Set these values to true to add them to the regex search by default
+$password = $true
+$username = $true
+$webAuth = $true
+
 $regexSearch = @{}
-$regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
-$regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
-$regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
-$regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}')
-$regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}")
-$regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
-$regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}')
-$regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}')
-$regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}')
-$regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
-$regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
-$regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
-$regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")
-$regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
-$regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
-$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
-$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
-$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
-$regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
-$regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
-$regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
-$regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
-$regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
-$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
-$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
-$regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
-$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
-$regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
-$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
-$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
-$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
-$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
-$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
-$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}")
-$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
-$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
-$regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
-$regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
-$regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
-$regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]")
-$regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
-$regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})")
-$regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]")
-$regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]")
-$regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}")
-$regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]")
-$regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
-$regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
-$regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
-$regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
-$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
-$regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
-$regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
-$regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
-$regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})")
-$regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]")
-$regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}")
-$regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
-$regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}")
-$regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]")
-$regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})")
-$regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])")
-$regexSearch.add("Droneci Access Token", "([a-z0-9]{32})")
-$regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}")
-$regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}")
-$regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]")
-$regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}")
-$regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}")
-$regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}")
-$regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
-$regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
-$regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
-$regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
-$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
-$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
-$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
-$regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
-$regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
-$regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
-$regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}")
-$regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}")
-$regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})")
-$regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}")
-$regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}")
-$regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}")
-$regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}")
-$regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}")
-$regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}")
-$regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}")
-$regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}")
-$regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}")
-$regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})")
-$regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}")
-$regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
-$regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}")
-$regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]")
-$regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com")
-$regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+")
-$regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account")
-$regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}")
-$regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}")
-$regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})")
-$regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}")
-$regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}")
-$regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]")
-$regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
-$regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
-$regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
-$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
-$regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
-$regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
-$regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
-$regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
-$regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})")
-$regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})")
-$regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])")
-$regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]")
-$regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]")
-$regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])")
-$regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})")
-$regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]")
-$regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}")
-$regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'")
-$regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}")
-$regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}")
-$regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})")
-$regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})")
-$regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
-$regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}")
-$regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}")
-$regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})")
-$regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})")
-$regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
-$regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})")
-$regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})")
-$regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})")
-$regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}")
-$regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
-$regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
-$regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
-$regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}")
-$regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]")
-$regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}")
-$regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})")
-$regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}")
-$regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
-$regexSearch.add("Plaid Client ID", "([a-z0-9]{24})")
-$regexSearch.add("Plaid Secret key", "([a-z0-9]{30})")
-$regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})")
-$regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}")
-$regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-")
-$regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}")
-$regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}")
-$regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]")
-$regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})")
-$regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}")
-$regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}")
-$regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
-$regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})")
-$regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}")
-$regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}")
-$regexSearch.add("Sentry Access Token", "([a-f0-9]{64})")
-$regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}")
-$regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})")
-$regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)")
-$regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?")
-$regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}")
-$regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]")
-$regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}")
-$regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}")
-$regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}")
-$regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}")
-$regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}")
-$regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})")
-$regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})")
-$regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}")
-$regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})")
-$regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]")
-$regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}")
-$regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
-$regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}")
-$regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})")
-$regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]")
-$regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}")
-$regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}")
-$regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
-$regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}")
-$regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})")
-$regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})")
-$regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
-$regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
-$regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
-$regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
-$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
-$regexSearch.add("Basic Auth", "//(.+):(.+)@")
-$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
-$regexSearch.add("Config Secrets", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
-$regexSearch.add("Simple Passwords", "passw.*[=:].+")
-$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
-$regexSearch.add("Usernames", "username.*[=:].+")
-$regexSearch.add("Net user add", "net user .+ /add")
+
+if ($password) {
+  $regexSearch.add("Simple Passwords1", "pass.*[=:].+")
+  $regexSearch.add("Simple Passwords2", "pwd.*[=:].+")
+  $regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
+  $regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
+  $regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
+  $regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}')
+  $regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}")
+  $regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
+  $regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}')
+  $regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}')
+  $regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}')
+  $regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
+  $regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
+  $regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
+  $regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")  
+  # This does not work correctly
+  #$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
+  $regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+\/]+={0,2}")
+
+}
+if ($username) {
+  $regexSearch.add("Usernames1", "username[=:].+")
+  $regexSearch.add("Usernames2", "user[=:].+")
+  $regexSearch.add("Usernames3", "login[=:].+")
+  $regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
+  $regexSearch.add("Net user add", "net user .+ /add")
+}
+
+if ($FullCheck) {
+  $regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
+  $regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
+  $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
+  $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
+  $regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
+  $regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
+  $regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
+  $regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
+  $regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
+  $regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
+  $regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
+  $regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
+  $regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
+  $regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
+  $regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]")
+  $regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
+  $regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})")
+  $regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]")
+  $regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]")
+  $regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}")
+  $regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]")
+  $regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
+  $regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
+  $regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
+  $regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
+  $regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
+  $regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
+  $regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
+  $regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})")
+  $regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]")
+  $regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}")
+  $regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
+  $regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}")
+  $regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]")
+  $regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})")
+  $regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])")
+  $regexSearch.add("Droneci Access Token", "([a-z0-9]{32})")
+  $regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}")
+  $regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}")
+  $regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]")
+  $regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}")
+  $regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}")
+  $regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}")
+  $regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
+  $regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
+  $regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
+  $regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
+  $regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
+  $regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
+  $regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
+  $regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}")
+  $regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}")
+  $regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})")
+  $regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}")
+  $regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}")
+  $regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}")
+  $regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}")
+  $regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}")
+  $regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}")
+  $regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}")
+  $regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}")
+  $regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}")
+  $regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})")
+  $regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}")
+  $regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
+  $regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}")
+  $regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]")
+  $regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com")
+  $regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+")
+  $regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account")
+  $regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}")
+  $regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}")
+  $regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})")
+  $regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}")
+  $regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}")
+  $regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]")
+  $regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
+  $regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
+  $regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
+  $regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
+  $regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
+  $regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
+  $regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
+  $regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})")
+  $regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})")
+  $regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])")
+  $regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]")
+  $regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]")
+  $regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])")
+  $regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})")
+  $regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]")
+  $regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}")
+  $regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'")
+  $regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}")
+  $regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}")
+  $regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})")
+  $regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})")
+  $regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
+  $regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}")
+  $regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}")
+  $regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})")
+  $regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})")
+  $regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
+  $regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})")
+  $regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})")
+  $regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})")
+  $regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}")
+  $regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
+  $regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
+  $regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
+  $regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}")
+  $regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]")
+  $regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}")
+  $regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})")
+  $regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}")
+  $regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
+  $regexSearch.add("Plaid Client ID", "([a-z0-9]{24})")
+  $regexSearch.add("Plaid Secret key", "([a-z0-9]{30})")
+  $regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})")
+  $regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}")
+  $regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-")
+  $regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}")
+  $regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}")
+  $regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]")
+  $regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})")
+  $regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}")
+  $regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}")
+  $regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
+  $regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})")
+  $regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}")
+  $regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}")
+  $regexSearch.add("Sentry Access Token", "([a-f0-9]{64})")
+  $regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}")
+  $regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})")
+  $regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)")
+  $regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?")
+  $regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}")
+  $regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]")
+  $regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}")
+  $regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}")
+  $regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}")
+  $regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}")
+  $regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}")
+  $regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})")
+  $regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})")
+  $regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}")
+  $regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})")
+  $regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]")
+  $regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}")
+  $regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
+  $regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}")
+  $regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})")
+  $regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]")
+  $regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}")
+  $regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}")
+  $regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
+  $regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}")
+  $regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})")
+  $regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})")
+  $regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
+  $regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
+  $regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
+  $regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
+}
+
+if ($webAuth) {
+  $regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
+  $regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
+  $regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
+  $regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
+  $regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
+  $regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
+  $regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
+  $regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
+  $regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
+  $regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
+  $regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
+  $regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
+  $regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
+  $regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
+  $regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
+  $regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
+  $regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
+  $regexSearch.add("Basic Auth", "//(.+):(.+)@")
+  $regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
+  $regexSearch.add("Config Secrets (Passwd / Credentials)", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
+  $regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
+}
+
+if($FullCheck){$Excel = $true}
+
 $regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")
-$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
+$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
+$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak", "*.xls", "*.xlsx", "*.xlsm")
+

 ######################## INTRODUCTION ########################
 $stopwatch = [system.diagnostics.stopwatch]::StartNew()
+
+if ($FullCheck) {
+  Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**"
+}
 # Introduction    
-Write-Host -ForegroundColor cyan  "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
-Write-Host -ForegroundColor cyan  "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
-Write-Host -ForegroundColor cyan  "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
-Write-Host -ForegroundColor cyan  "Use it at your own networks and/or with the network owner's explicit permission"
+Write-Host -BackgroundColor Red -ForegroundColor White  "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
+Write-Host -BackgroundColor Red -ForegroundColor White "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
+Write-Host -BackgroundColor Red -ForegroundColor White "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
+Write-Host -BackgroundColor Red -ForegroundColor White "Use it at your own networks and/or with the network owner's explicit permission"


 # Color Scheme Introduction
@@ -1333,7 +1462,6 @@ Write-Host -ForegroundColor Blue "=========|| SAM / SYSTEM Backup Checks"
  }
 }

-
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| Group Policy Password Check"
@@ -1352,9 +1480,67 @@ if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:"
 Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow

+######################## File/Folder Check ########################
+
+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========||  Password Check in Files/Folders"
+
+# Looking through the entire computer for passwords
+# Also looks for MCaffee site list while looping through the drives.
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time."
+Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
+# Check if the Excel com object is installed, if so, look through files, if not, just notate if a file has "user" or "password in name"
+try { New-Object -ComObject Excel.Application | Out-Null; $ReadExcel = $true }catch {$ReadExcel = $false; if($Excel){
+  Write-Host -ForegroundColor Yellow "Host does not have Excel COM object, will still point out excel files when found."
+}}
+$Drives.Root | ForEach-Object {
+  $Drive = $_
+  Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {
+    $path = $_
+    #Exclude files/folders with 'lang' in the name
+    if ($Path.FullName | select-string "(?i).*lang.*") {
+      #Write-Host "$($_.FullName) found!" -ForegroundColor red
+    }
+    if($Path.FullName | Select-String "(?i).:\\.*\\.*Pass.*"){
+      write-host -ForegroundColor Blue "$($path.FullName) contains the word 'pass'"
+    }
+    if($Path.FullName | Select-String ".:\\.*\\.*user.*" ){
+      Write-Host -ForegroundColor Blue "$($path.FullName) contains the word 'user' -excluding the 'users' directory"
+    }
+    # If path name ends with common excel extensions
+    elseif ($Path.FullName | Select-String ".*\.xls",".*\.xlsm",".*\.xlsx") {
+      if ($ReadExcel -and $Excel) {
+        Search-Excel -Source $Path.FullName -SearchText "user"
+        Search-Excel -Source $Path.FullName -SearchText "pass"
+      }
+    }
+    else {
+      if ($path.Length -gt 0) {
+        # Write-Host -ForegroundColor Blue "Path name matches extension search: $path"
+      }
+      if ($path.FullName | Select-String "(?i).*SiteList\.xml") {
+        Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
+        Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
+      }
+      $regexSearch.keys | ForEach-Object {
+        $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1
+        if ($passwordFound) {
+          Write-Host "Possible Password found: $_" -ForegroundColor Yellow
+          Write-Host $Path.FullName
+          Write-Host -ForegroundColor Blue "$_ triggered"
+          Write-Host $passwordFound -ForegroundColor Red
+        }
+      }
+    }  
+  }
+}
+
+######################## Registry Password Check ########################
+
 Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
 # Looking through the entire registry for passwords
-Write-Host "Checking over 200 different password regex types."
 Write-Host "This will take some time. Won't you have a pepsi?"
 $regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
 # Search for the string in registry values and properties
@@ -1382,33 +1568,3 @@ foreach ($r in $regPath) {
  if ($TimeStamp) { TimeElapsed }
  Write-Host "Finished $r"
 }
-
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========||  Password Check in Files"
-# Looking through the entire computer for passwords
-$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
-$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
-Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
-# Also looks for MCaffee site list while looping through the drives.
-$Drives.Root | ForEach-Object {
-  $Drive = $_
-  Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue | ForEach-Object {
-    $path = $_
-    if ($path -like "*SiteList.xml") {
-      Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
-      Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
-    }
-    $regexSearch.keys | ForEach-Object {
-      $password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
-      if ($password) {
-        Write-Host "Possible Password found: $_" -ForegroundColor Yellow
-        Write-Host $Path.FullName
-        Write-Host $password -ForegroundColor Red
-      }
-    }
-  }
-}
Author	SHA1	Message	Date
Carlos Polop	31aed5cd92	Merge pull request #397 from RandolphConley/master code update ; Added search / function for excel files	2023-10-24 12:34:02 +02:00
StevenLtheThird	11d93c42e7	Update winPEAS.ps1 Remove extra code in search for files.	2023-10-13 17:46:43 -04:00
StevenLtheThird	9f75cc824c	Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng	2023-10-13 17:43:05 -04:00
StevenLtheThird	8caca65606	Update winPEAS.ps1	2023-10-13 17:42:51 -04:00
RandolphConley	3ee6ee0836	Merge branch 'carlospolop:master' into master	2023-10-13 17:39:54 -04:00
StevenLtheThird	e0b0ffcacc	code update ; Added search / function for excel files Function will read excel files looking for words: "user" or "pass" - in case those cells are populated for a credentials file.	2023-10-13 17:39:24 -04:00
Carlos Polop	9163062daa	Merge pull request #396 from RandolphConley/master logo color, updated output, added -fullcheck flag	2023-10-11 22:59:21 +02:00
StevenLtheThird	6d8db70b30	Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng	2023-10-11 15:58:02 -04:00
StevenLtheThird	4ee91b897a	logo color, updated output, added -fullcheck flag Added colors to the logo, so winPEAS looks like it should. Updated the output to filter out erroneous information. Which leads to the -fullcheck flag. The flag adds all regex searches back into the script to check files/folders for data. However the regexes do return false positives, so use as a last resort.	2023-10-11 15:57:35 -04:00
Carlos Polop	05f6cb7b0a	Update 9_interesting_files.sh	2023-10-02 23:54:28 +02:00