Built off the open source project Osquery
Description: This query shows filenames in windows users subfolders that may contain passwords.
What The Data Shows: Attackers like to live off the land, by searching and educating end users on the issues regarding plaintext passwords the security posture in organizations will improve and make it more difficult to pivot, steal personal information, etc.
SQL:
SELECT f.filename, f.path, u.username, h.sha256,
datetime(f.atime,"unixepoch","localtime") AS atime,
datetime(f.ctime,"unixepoch","localtime") AS ctime,
datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM file as f
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE ((filename like "%passw%") OR (filename like "%pwd%")) and path like "\Users%%";
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.