#33787 [Huntress Detection] LOW - Incident on FRP-LizScaggs (Farran Realty Partners)

Host: FRP-LizScaggs - https://artichoke.huntress.io/org/143732/agents/3029914
Organization: Farran Realty Partners
Tags: None
Security Products: Windows Defender

Incident Report: https://artichoke.huntress.io/org/143732/infection_reports/1460835
Severity: Low

Investigative Summary
---------------------
Huntress detected one or more files on this endpoint that may contain passwords. Having passwords readily available on disk or network shares does not follow security best-practices as threat actors often search for and exploit this data. To reduce organizational risk, we recommend you remove these files and consider the use of a secure password manager.
This message was sent out to ensure you are aware of this potential security risk on this host. We will not be able to verify removal of the password files. We did not collect/examine the file to verify that it contains passwords.

Given the existence of this file, we recommend that your users receive training on the risks of insecure password storage:

- If you already have a Huntress Security Awareness Training (SAT) subscription, you can assign the "Storing Passwords" and "Password Manager" episodes to all employees of the affected organization.
- If you don't have an SAT subscription yet, you can start a free trial for full access to all content. Alternatively, we've made the "Storing Passwords" episode available to you for free at https://mycurricula.com/login/d93fpsfxje

Commands used to open files that may contain passwords:
User: lscaggs
Command: "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\lscaggs\OneDrive - Farran\Desktop\Payroll Password.pdf"

Remediation Instructions
------------------------
To mitigate against post-exploitation attacks and lateral movement, consider switching to a secure password management solution. Before deleting any local credential files, ensure they have been backed up in a secure, encrypted location.
There may be other password files located on disk in the same directory as the above processes seen on the host - this list is not exhaustive. Huntress has not manually downloaded the files to confirm they contain credentials; however, due to the naming, password content is likely and your team should consider investigating.
If a threat actor gains access to this host and discovers a password file (whether locally or on a shared drive), these credentials can be used to launch follow-on attacks against the organization or to laterally move across the network. Additionally, password storage in this manner may negatively impact audits for mandatory security standards in certain industries.

Processes
---------
Start Time: 2025-03-28 15:02:16 UTC
Command: "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\lscaggs\OneDrive - Farran\Desktop\Payroll Password.pdf"
Executable: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Process ID: 62676246-0bd2-11f0-9764-28f07649301f
Parent Process: C:\Windows\explorer.exe
User: lscaggs

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.

Edits made via Bulk Update Tool - see change log for this timestamp