T1555 Credentials from Password Stores Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CredentialTools = dynamic(["mimikatz", "lazagne", "credentialfileview", "vaultpasswordview", "netpass", "nirsoft", "keethief", "dumperts", "browserpassview", "webbrowserpassview", "mailpassview", "chromiumpassworddecryptor", "creddump"]);
let CredentialCommands = dynamic(["cmdkey /list", "vaultcmd /listcreds", "security dump-keychain", "security find-generic-password", "security find-internet-password", "rundll32.exe keymgr.dll", "CryptUnprotectData", "CredEnumerateA", "CredEnumerateW", "SecKeychainFindInternetPassword", "dpapi::cred", "vault::list", "vault::cred"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (CredentialCommands)
    or FileName has_any (CredentialTools)
    or InitiatingProcessFileName has_any (CredentialTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators using cmdkey /list to audit stored credentials during maintenance windows
macOS developers or sysadmins legitimately querying Keychain via the security command-line tool
Penetration testing teams running authorized credential audits with tools like LaZagne
Password manager applications performing legitimate credential operations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval CredToolMatch=if(match(Image, "(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|browserpassview|webbrowserpassview)"), 1, 0)
| eval CredCmdMatch=if(match(CommandLine, "(cmdkey\s+/list|vaultcmd\s+/listcreds|security\s+dump-keychain|security\s+find-generic-password|security\s+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)"), 1, 0)
| where CredToolMatch=1 OR CredCmdMatch=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CredToolMatch, CredCmdMatch
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators using cmdkey /list to audit stored credentials during maintenance windows
Penetration testing teams running authorized credential audits with tools like LaZagne
Security scanning tools that enumerate credential stores as part of vulnerability assessments
System management scripts that check credential store health

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
  or process.command_line : ("*cmdkey* /list*", "*vaultcmd* /listcreds*", "*security* dump-keychain*", "*security* find-generic-password*", "*security* find-internet-password*", "*rundll32*keymgr.dll*", "*CryptUnprotectData*", "*CredEnumerateA*", "*CredEnumerateW*", "*SecKeychainFindInternetPassword*", "*dpapi::cred*", "*vault::list*", "*vault::cred*")
  or process.parent.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
)

high severity high confidence

Data Sources

Elastic Endpoint Security (ECS) Winlogbeat with Sysmon (ECS normalised) Elastic Agent Endpoint Integration

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Security auditing tools run by IT operations (e.g., CyberArk, BeyondTrust discovery agents) may invoke CredEnumerate APIs legitimately.
Password manager installers or update processes (Bitwarden, 1Password) may use find-generic-password on macOS during vault migration.
Penetration testing engagements where LaZagne or Mimikatz are used under an authorised scope — correlate with change-window tickets.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name" AS "Process Name",
  "Command" AS "Command Line",
  "Parent Process Name" AS "Parent Process"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND EventID IN (1, 4688)
  AND (
    LOWER("Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
    OR LOWER("Command") MATCHES '(cmdkey[\s]+/list|vaultcmd[\s]+/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)'
    OR LOWER("Parent Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|keethief|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command-line auditing enabled) Sysmon via Windows Event Forwarding (EventID 1) QRadar DSM for Windows

Required Tables

events

False Positives

Enterprise password vault agents (CyberArk CPM, Delinea) that enumerate Windows Credential Manager entries during reconciliation cycles.
Custom PowerShell scripts used by helpdesk to list stored credentials with cmdkey /list during troubleshooting sessions.
Security awareness / red team simulation platforms (e.g., AttackIQ, Cymulate) that execute credential access scenarios in test environments.

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="WinEventLog")
| where EventCode in ("1", "4688")
| eval cmd_lower = toLowerCase(CommandLine)
| eval img_lower = toLowerCase(Image)
| eval parent_lower = toLowerCase(ParentImage)
| where (
    img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR parent_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/"
  )
| eval tool_match = if(img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/", 1, 0)
| eval cmd_match = if(cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/", 1, 0)
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, tool_match, cmd_match
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon EventID 1) Sumo Logic Windows Source (Security EventID 4688) Sumo Logic Installed Collector on Windows endpoints

Required Tables

Windows Event Log source (WinEventLog or Sysmon) Sumo Logic CSE normalized process schema

False Positives

IT asset discovery solutions (Lansweeper, PDQ Inventory) that enumerate credential stores as part of software inventory scans.
macOS Jamf or Munki management agents invoking `security find-generic-password` to verify keychain entries during managed app installs.
Chrome or Edge browser updates that internally access Windows Credential Manager to migrate saved passwords — triggers on process arguments.

Google Chronicle / SecOps

yaral

rule t1555_credentials_from_password_stores {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of credential harvesting tools or commands targeting password stores (T1555)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
      or re.regex($e.target.process.command_line,
        `(?i)(cmdkey\s+/list|vaultcmd\s+/listcreds|security\s+dump-keychain|security\s+find-generic-password|security\s+find-internet-password|rundll32.*keymgr\.dll|CryptUnprotectData|CredEnumerateA|CredEnumerateW|SecKeychainFindInternetPassword|dpapi::cred|vault::list|vault::cred)`)
      or re.regex($e.principal.process.file.full_path,
        `(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Ingestion API — Windows endpoints via Chronicle forwarder Chronicle EDR telemetry from CrowdStrike, Carbon Black, or Defender ATP

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Privileged Access Workstation (PAW) credential vault agents that legitimately call CredEnumerateW during session setup for just-in-time access workflows.
macOS MDM enrollment processes that use `security find-internet-password` to retrieve proxy credentials from keychain during device provisioning.
SIEM/SOAR integration agents (Splunk SOAR, Palo Alto XSOAR) that spawn credential retrieval subprocesses when connecting to managed password stores.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| eval img_lower = lowercase(ImageFileName)
| eval cmd_lower = lowercase(CommandLine)
| eval parent_lower = lowercase(ParentBaseFileName)
| eval tool_match = if(
    match(img_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "tool_name",
    ""
  )
| eval cmd_match = if(
    match(cmd_lower, regex="(cmdkey[\\s]+/list|vaultcmd[\\s]+/listcreds|security[\\s]+dump-keychain|security[\\s]+find-generic-password|security[\\s]+find-internet-password|rundll32.*keymgr\\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)"),
    "cmd_pattern",
    ""
  )
| eval parent_match = if(
    match(parent_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "parent_tool",
    ""
  )
| where tool_match != "" OR cmd_match != "" OR parent_match != ""
| eval match_reason = array_concat(
    if(tool_match != "", [tool_match], []),
    if(cmd_match != "", [cmd_match], []),
    if(parent_match != "", [parent_match], [])
  )
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, match_reason]
| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 telemetry Falcon Data Replicator (FDR) streaming to LogScale LogScale Falcon Insight log source

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor itself or third-party EDR agents that enumerate credentials during process injection prevention checks — typically run as SYSTEM with a signed parent.
Enterprise single-sign-on helpers (OKTA Device Trust, Duo Authentication for Windows) that call CredEnumerateW to locate stored SSO tokens during login.
Developer tooling such as Git Credential Manager or AWS CLI credential helper that invoke native credential store APIs to retrieve repository or cloud credentials from Windows Credential Manager.

Credentials from Password Stores

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Credential Access

Popular Detections