Scanning registry hives for the value password
:
reg query HKLM /f password /t REG_SZ /s# orreg query HKCU /f password /t REG_SZ /s
As a defender, you may want to monitor commandline argument logs and look for any that include req query
and password
strings: