> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1552-unsecured-credentials/credentials-in-files.md).

# Credentials in Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.

In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.

**Example**

Let's not go too far, shall we??. Were here checking out the latest and greatest techniques to Dump Credentials, Capture Hashes, and Exploit Services. But what about just searching for the passwords??.

Here is where SauronEye comes in a great tool, that searches incredibly quick through the entire system for keywords and specific file extension.

**SauronEye.exe -d C:\Users\dwinchester\ --filetypes .txt .docx .xlsx .xls --contents --keywords password pass\* -v**

![](/files/-MRkq9ZdiWOKVt9xWBNB)

References:

<https://github.com/vivami/SauronEye>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1552-unsecured-credentials/credentials-in-files.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
