Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping.  Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. 
In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files. They may also be found as parameters to deployment commands in container logs. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.
If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.
TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.
Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.
Establish an organizational policy that prohibits password storage in files.
|Restrict File and Directory Permissions
Restrict file shares to specific directories with access only to necessary users.
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.
Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained.
Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.
Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.
Analytic 1 - Credentials in Files & Registry