This playbook provides system remediation steps to investigate an incident involving credential sniffing activities performed through the sys_installation_exit table in a ServiceNow instance.

The Credential Sniffing playbook provides a script field to process the Database (DB) logins, Single sign-on (SSO), and LDAP (Lightweight Directory Access Protocol) by using the records on the sys_installation_exit table. These privileged scripting fields enable listening of user requests and parameters to the instances during login, including user credentials such as username and password.

A malicious user may create a script to listen to the user requests and log these requests on the instance. The sys_installation_exit table on an instance defines the rules of processing the login and logout activities of all users on that instance.