IBM Qradar Sysmon AQL:
select username, "Process CommandLine" from events where image imatches '(*.notepad.*)|(.*excel*)' and "Process CommandLine" imatches '(?i)((.*passw.*)|(.*pwd.*))'
process_name:notepad.exe|excel.exe|notepad++.exe and (cmdline:*password* or cmdline:*pwd* or cmdline:*passwd* or cmdline:*keys*)
Finding unprotected credentials in txt file or alike, makes the attacker life easy even if the environment is well hardened.