Credentials in Files

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.

In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.

Example

Let's not go too far, shall we??. Were here checking out the latest and greatest techniques to Dump Credentials, Capture Hashes, and Exploit Services. But what about just searching for the passwords??.

Here is where SauronEye comes in a great tool, that searches incredibly quick through the entire system for keywords and specific file extension.

SauronEye.exe -d C:\Users\dwinchester\ --filetypes .txt .docx .xlsx .xls --contents --keywords password pass* -v

References:

https://github.com/vivami/SauronEye

PreviousCredentials in Registry NextT1558: Steal or Forge Kerberos Tickets

Last updated 3 years ago