Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
grep -riP password #{file_path}
grep -riP password /
auditlogs (audit.rules)
bash_history logs
index=linux sourcetype=linux_audit type=execve a0=grep password
index=linux sourcetype="bash_history" grep password | table host,user_name,bash_command