Which SIEM platforms have a T1555 detection rule?

df00tech provides T1555 (Credentials from Password Stores) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Credentials from Password Stores (T1555)?

Detecting Credentials from Password Stores requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1555 detection?

The T1555 detection is rated high severity with medium confidence.

What are common false positives for T1555?

Common false positives for T1555 include: IT administrators using cmdkey /list to audit stored credentials during maintenance windows; macOS developers or sysadmins legitimately querying Keychain via the security command-line tool; Penetration testing teams running authorized credential audits with tools like LaZagne.

T1555

Credentials from Password Stores

Credential Access Last updated: April 13, 2026

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

What is T1555 Credentials from Password Stores?

Credentials from Password Stores (T1555) maps to the Credential Access tactic — the adversary is trying to steal account names and passwords in MITRE ATT&CK.

This page provides production-ready detection logic for Credentials from Password Stores, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access
Technique: T1555 Credentials from Password Stores
Canonical reference: https://attack.mitre.org/techniques/T1555/

Microsoft Sentinel / Defender

kusto

let CredentialTools = dynamic(["mimikatz", "lazagne", "credentialfileview", "vaultpasswordview", "netpass", "nirsoft", "keethief", "dumperts", "browserpassview", "webbrowserpassview", "mailpassview", "chromiumpassworddecryptor", "creddump"]);
let CredentialCommands = dynamic(["cmdkey /list", "vaultcmd /listcreds", "security dump-keychain", "security find-generic-password", "security find-internet-password", "rundll32.exe keymgr.dll", "CryptUnprotectData", "CredEnumerateA", "CredEnumerateW", "SecKeychainFindInternetPassword", "dpapi::cred", "vault::list", "vault::cred"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (CredentialCommands)
    or FileName has_any (CredentialTools)
    or InitiatingProcessFileName has_any (CredentialTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Broad detection for credential harvesting from password stores across Windows, macOS, and Linux. Monitors for known credential theft tools (Mimikatz, LaZagne, NirSoft utilities, KeeThief) and native OS commands used to enumerate or dump credentials from system password stores including Windows Credential Manager, macOS Keychain, and browser credential databases.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators using cmdkey /list to audit stored credentials during maintenance windows
macOS developers or sysadmins legitimately querying Keychain via the security command-line tool
Penetration testing teams running authorized credential audits with tools like LaZagne
Password manager applications performing legitimate credential operations

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
  or process.command_line : ("*cmdkey* /list*", "*vaultcmd* /listcreds*", "*security* dump-keychain*", "*security* find-generic-password*", "*security* find-internet-password*", "*rundll32*keymgr.dll*", "*CryptUnprotectData*", "*CredEnumerateA*", "*CredEnumerateW*", "*SecKeychainFindInternetPassword*", "*dpapi::cred*", "*vault::list*", "*vault::cred*")
  or process.parent.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
)

Detects execution of known credential harvesting tools targeting password stores (T1555). Matches on process name, command-line arguments referencing credential enumeration APIs and CLI commands, and parent process names of known tools. Covers Mimikatz vault/DPAPI modules, LaZagne, NirSoft credential viewers, KeeThief, and native Windows/macOS credential CLI commands.

high severity high confidence

Data Sources

Elastic Endpoint Security (ECS) Winlogbeat with Sysmon (ECS normalised) Elastic Agent Endpoint Integration

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Security auditing tools run by IT operations (e.g., CyberArk, BeyondTrust discovery agents) may invoke CredEnumerate APIs legitimately.
Password manager installers or update processes (Bitwarden, 1Password) may use find-generic-password on macOS during vault migration.
Penetration testing engagements where LaZagne or Mimikatz are used under an authorised scope — correlate with change-window tickets.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name" AS "Process Name",
  "Command" AS "Command Line",
  "Parent Process Name" AS "Parent Process"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND EventID IN (1, 4688)
  AND (
    LOWER("Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
    OR LOWER("Command") MATCHES '(cmdkey[\s]+/list|vaultcmd[\s]+/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)'
    OR LOWER("Parent Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|keethief|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
  )
ORDER BY starttime DESC
LAST 24 HOURS

AQL rule for IBM QRadar detecting credential harvesting tool execution and credential store enumeration commands. Queries Windows Security Event Log (EventID 4688 — process creation) and Sysmon (EventID 1) log sources. Matches against known tool names in the process image path and known credential-access command patterns in the command-line field.

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command-line auditing enabled) Sysmon via Windows Event Forwarding (EventID 1) QRadar DSM for Windows

Required Tables

events

False Positives

Enterprise password vault agents (CyberArk CPM, Delinea) that enumerate Windows Credential Manager entries during reconciliation cycles.
Custom PowerShell scripts used by helpdesk to list stored credentials with cmdkey /list during troubleshooting sessions.
Security awareness / red team simulation platforms (e.g., AttackIQ, Cymulate) that execute credential access scenarios in test environments.

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="WinEventLog")
| where EventCode in ("1", "4688")
| eval cmd_lower = toLowerCase(CommandLine)
| eval img_lower = toLowerCase(Image)
| eval parent_lower = toLowerCase(ParentImage)
| where (
    img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR parent_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/"
  )
| eval tool_match = if(img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/", 1, 0)
| eval cmd_match = if(cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/", 1, 0)
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, tool_match, cmd_match
| sort by _messageTime desc

Sumo Logic search query detecting credential harvesting tool execution and password store enumeration commands from Windows Sysmon (EventID 1) and Security Event Log (EventID 4688) sources. Uses regex matching on process image names and command-line strings to identify both known tool names and credential-access API/CLI patterns. Includes match classification fields to differentiate tool-name hits from command-line hits.

high severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon EventID 1) Sumo Logic Windows Source (Security EventID 4688) Sumo Logic Installed Collector on Windows endpoints

Required Tables

Windows Event Log source (WinEventLog or Sysmon) Sumo Logic CSE normalized process schema

False Positives

IT asset discovery solutions (Lansweeper, PDQ Inventory) that enumerate credential stores as part of software inventory scans.
macOS Jamf or Munki management agents invoking `security find-generic-password` to verify keychain entries during managed app installs.
Chrome or Edge browser updates that internally access Windows Credential Manager to migrate saved passwords — triggers on process arguments.

Google Chronicle / SecOps

yaral

rule t1555_credentials_from_password_stores {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of credential harvesting tools or commands targeting password stores (T1555)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
      or re.regex($e.target.process.command_line,
        `(?i)(cmdkey\s+/list|vaultcmd\s+/listcreds|security\s+dump-keychain|security\s+find-generic-password|security\s+find-internet-password|rundll32.*keymgr\.dll|CryptUnprotectData|CredEnumerateA|CredEnumerateW|SecKeychainFindInternetPassword|dpapi::cred|vault::list|vault::cred)`)
      or re.regex($e.principal.process.file.full_path,
        `(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting password store credential harvesting via PROCESS_LAUNCH UDM events. Matches on the target process full path and command line using regex for known tool names and credential enumeration API calls/CLI patterns. Also checks parent process path to catch child processes spawned by known tools. Uses UDM fields principal.process (parent) and target.process (spawned process).

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Ingestion API — Windows endpoints via Chronicle forwarder Chronicle EDR telemetry from CrowdStrike, Carbon Black, or Defender ATP

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Privileged Access Workstation (PAW) credential vault agents that legitimately call CredEnumerateW during session setup for just-in-time access workflows.
macOS MDM enrollment processes that use `security find-internet-password` to retrieve proxy credentials from keychain during device provisioning.
SIEM/SOAR integration agents (Splunk SOAR, Palo Alto XSOAR) that spawn credential retrieval subprocesses when connecting to managed password stores.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| eval img_lower = lowercase(ImageFileName)
| eval cmd_lower = lowercase(CommandLine)
| eval parent_lower = lowercase(ParentBaseFileName)
| eval tool_match = if(
    match(img_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "tool_name",
    ""
  )
| eval cmd_match = if(
    match(cmd_lower, regex="(cmdkey[\\s]+/list|vaultcmd[\\s]+/listcreds|security[\\s]+dump-keychain|security[\\s]+find-generic-password|security[\\s]+find-internet-password|rundll32.*keymgr\\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)"),
    "cmd_pattern",
    ""
  )
| eval parent_match = if(
    match(parent_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "parent_tool",
    ""
  )
| where tool_match != "" OR cmd_match != "" OR parent_match != ""
| eval match_reason = array_concat(
    if(tool_match != "", [tool_match], []),
    if(cmd_match != "", [cmd_match], []),
    if(parent_match != "", [parent_match], [])
  )
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, match_reason]
| sort @timestamp desc

CrowdStrike LogScale (Falcon) query detecting password store credential harvesting via ProcessRollup2 events. Evaluates tool name match on the process image path, command-line pattern match for known credential enumeration commands and API names, and parent process name match for child processes of known tools. Produces a match_reason array to assist triage by identifying which detection signal fired.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 telemetry Falcon Data Replicator (FDR) streaming to LogScale LogScale Falcon Insight log source

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon sensor itself or third-party EDR agents that enumerate credentials during process injection prevention checks — typically run as SYSTEM with a signed parent.
Enterprise single-sign-on helpers (OKTA Device Trust, Duo Authentication for Windows) that call CredEnumerateW to locate stored SSO tokens during login.
Developer tooling such as Git Credential Manager or AWS CLI credential helper that invoke native credential store APIs to retrieve repository or cloud credentials from Windows Credential Manager.

Sigma rule & cross-platform mapping

The detection logic for Credentials from Password Stores (T1555) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1555 Sigma rules on detection.fyi

Platform-specific guides for T1555

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0006Credential Access

Credentials from Password Stores

What is T1555 Credentials from Password Stores?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1555

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (6)

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is T1555 Credentials from Password Stores?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1555

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (6)

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox