Threat Hunting #11 - Exposed Passwords

[House Cleaning] - Detecting Your Own Users storing their passwords in "text" files (you will be surprised, its very common):

IBM Qradar Sysmon AQL:

select username, "Process CommandLine" from events where image imatches '(*.notepad.*)|(.*excel*)' and "Process CommandLine" imatches '(?i)((.*passw.*)|(.*pwd.*))'

CarbonBlack:

process_name:notepad.exe|excel.exe|notepad++.exe and (cmdline:*password* or cmdline:*pwd* or cmdline:*passwd* or cmdline:*keys*)

Finding unprotected credentials in txt file or alike, makes the attacker life easy even if the environment is well hardened.