T1555.004 Windows Credential Manager Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let VaultCommands = dynamic(["vaultcmd /listcreds", "vaultcmd /list", "cmdkey /list", "rundll32.exe keymgr.dll", "KRShowKeyMgr", "Invoke-WCMDump", "vault::cred", "vault::list", "dpapi::cred", "CredEnumerateA", "CredEnumerateW", "Get-VaultCredential"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (VaultCommands)
    or (FileName =~ "vaultcmd.exe" and ProcessCommandLine has_any ("/listcreds", "/list"))
    or (FileName =~ "cmdkey.exe" and ProcessCommandLine has "/list")
    or (FileName =~ "rundll32.exe" and ProcessCommandLine has "keymgr.dll")
| extend VaultEnum = ProcessCommandLine has_any ("vaultcmd", "vault::list")
| extend CmdkeyEnum = ProcessCommandLine has "cmdkey /list"
| extend MimikatzVault = ProcessCommandLine has_any ("vault::cred", "dpapi::cred")
| extend CredBackup = ProcessCommandLine has "keymgr.dll"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         VaultEnum, CmdkeyEnum, MimikatzVault, CredBackup
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators using cmdkey /list to audit stored credentials during troubleshooting
IT helpdesk scripts that check credential store status for remote access configuration
Endpoint management tools that enumerate credentials as part of compliance checks
Windows system processes that interact with Credential Manager during authentication flows

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  ((Image="*\\vaultcmd.exe" AND (CommandLine="*/listcreds*" OR CommandLine="*/list*"))
  OR (Image="*\\cmdkey.exe" AND CommandLine="*/list*")
  OR (Image="*\\rundll32.exe" AND CommandLine="*keymgr.dll*")
  OR CommandLine="*Invoke-WCMDump*"
  OR CommandLine="*vault::cred*"
  OR CommandLine="*vault::list*"
  OR CommandLine="*dpapi::cred*"
  OR CommandLine="*Get-VaultCredential*"
  OR CommandLine="*CredEnumerateA*"
  OR CommandLine="*CredEnumerateW*")
| eval VaultEnum=if(match(Image, "(?i)vaultcmd") OR match(CommandLine, "vault::list"), 1, 0)
| eval CmdkeyEnum=if(match(CommandLine, "(?i)cmdkey.*/list"), 1, 0)
| eval MimikatzVault=if(match(CommandLine, "(vault::cred|dpapi::cred)"), 1, 0)
| eval CredBackup=if(match(CommandLine, "(?i)keymgr\.dll"), 1, 0)
| eval SuspicionScore=VaultEnum + CmdkeyEnum + MimikatzVault*3 + CredBackup*2
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, VaultEnum, CmdkeyEnum, MimikatzVault, CredBackup, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators using cmdkey /list to audit stored credentials
IT helpdesk scripts checking credential store status
Endpoint management tools enumerating credentials for compliance
Windows system processes during normal authentication

Elastic Security (EQL)

eql

process where host.os.type == "windows" and event.type == "start" and (
  (process.name like~ "vaultcmd.exe" and (process.command_line like~ "*/listcreds*" or process.command_line like~ "*/list*")) or
  (process.name like~ "cmdkey.exe" and process.command_line like~ "*/list*") or
  (process.name like~ "rundll32.exe" and process.command_line like~ "*keymgr.dll*") or
  process.command_line like~ "*Invoke-WCMDump*" or
  process.command_line like~ "*vault::cred*" or
  process.command_line like~ "*vault::list*" or
  process.command_line like~ "*dpapi::cred*" or
  process.command_line like~ "*Get-VaultCredential*" or
  process.command_line like~ "*CredEnumerateA*" or
  process.command_line like~ "*CredEnumerateW*" or
  process.command_line like~ "*KRShowKeyMgr*"
)

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Windows Security Event Log

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT administrators or help desk staff running cmdkey /list or vaultcmd /list during credential troubleshooting or workstation provisioning workflows
Enterprise password management or SSO provisioning tools programmatically calling CredEnumerateA/CredEnumerateW APIs to audit or migrate stored credentials
Authorized red team or penetration testing operations executing credential access techniques within scoped and documented engagements

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  hostname AS "Hostname",
  "Process Name" AS "Image",
  "Command" AS "CommandLine",
  "Parent Process Name" AS "ParentImage",
  CASE WHEN LOWER("Process Name") LIKE '%vaultcmd%' OR LOWER("Command") LIKE '%vault::list%' THEN 1 ELSE 0 END AS VaultEnum,
  CASE WHEN LOWER("Command") LIKE '%cmdkey%' AND LOWER("Command") LIKE '%/list%' THEN 1 ELSE 0 END AS CmdkeyEnum,
  CASE WHEN LOWER("Command") LIKE '%vault::cred%' OR LOWER("Command") LIKE '%dpapi::cred%' THEN 3 ELSE 0 END AS MimikatzScore,
  CASE WHEN LOWER("Command") LIKE '%keymgr.dll%' THEN 2 ELSE 0 END AS CredBackupScore
FROM events
WHERE LOGSOURCETYPEID IN (12, 352)
  AND (
    (LOWER("Process Name") LIKE '%vaultcmd.exe%' AND (LOWER("Command") LIKE '%/listcreds%' OR LOWER("Command") LIKE '%/list%'))
    OR (LOWER("Process Name") LIKE '%cmdkey.exe%' AND LOWER("Command") LIKE '%/list%')
    OR (LOWER("Process Name") LIKE '%rundll32.exe%' AND LOWER("Command") LIKE '%keymgr.dll%')
    OR LOWER("Command") LIKE '%invoke-wcmdump%'
    OR LOWER("Command") LIKE '%vault::cred%'
    OR LOWER("Command") LIKE '%vault::list%'
    OR LOWER("Command") LIKE '%dpapi::cred%'
    OR LOWER("Command") LIKE '%get-vaultcredential%'
    OR LOWER("Command") LIKE '%credenumeratea%'
    OR LOWER("Command") LIKE '%credenumeratew%'
    OR LOWER("Command") LIKE '%krshowkeymgr%'
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Sysmon (EventID 1)

Required Tables

events (QRadar LOGSOURCETYPEID 12 - Windows Security, 352 - Sysmon)

False Positives

Workstation provisioning or imaging scripts using cmdkey to pre-populate domain credentials for mapped drives or automated RDP session setup
IT administrators running vaultcmd for authorized credential inventory audits or tier-1 endpoint support tasks
Vulnerability scanners or EDR agents that enumerate Windows Credential Manager stores as part of endpoint posture telemetry collection

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=*WinEventLog*)
| where EventID = "1" OR EventID = "4688"
| where CommandLine contains "vaultcmd" OR CommandLine contains "cmdkey" OR CommandLine contains "keymgr.dll" OR CommandLine contains "Invoke-WCMDump" OR CommandLine contains "vault::cred" OR CommandLine contains "vault::list" OR CommandLine contains "dpapi::cred" OR CommandLine contains "Get-VaultCredential" OR CommandLine contains "CredEnumerateA" OR CommandLine contains "CredEnumerateW" OR CommandLine contains "KRShowKeyMgr"
| eval VaultEnum = if(CommandLine matches "(?i)(vaultcmd|vault::list)", 1, 0)
| eval CmdkeyEnum = if(CommandLine matches "(?i)cmdkey.*/list", 1, 0)
| eval MimikatzVault = if(CommandLine matches "(?i)(vault::cred|dpapi::cred)", 1, 0)
| eval CredBackup = if(CommandLine matches "(?i)keymgr[.]dll", 1, 0)
| eval SuspicionScore = VaultEnum + CmdkeyEnum + (MimikatzVault * 3) + (CredBackup * 2)
| where SuspicionScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, VaultEnum, CmdkeyEnum, MimikatzVault, CredBackup, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (EventID 1) via _sourceCategory Windows Security Event Log (EventID 4688) via _sourceCategory

Required Tables

Sysmon operational log Windows Security Event Log

False Positives

Remote desktop configuration automation using cmdkey to store credentials for unattended RDP connections across managed endpoints
Enterprise software deployment tools invoking vaultcmd to validate credential state during workstation lifecycle provisioning
Security products performing credential health checks or inventory scans that reference keymgr.dll or enumerate Credential Manager entries as part of their normal operation

Google Chronicle / SecOps

yaral

rule t1555_004_windows_credential_manager_access {
  meta:
    author = "Detection Engineering"
    description = "Detects Windows Credential Manager enumeration and harvesting via vaultcmd.exe, cmdkey.exe, rundll32.exe keymgr.dll, Mimikatz vault/dpapi modules, and PowerShell credential dump tools"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.004"
    severity = "HIGH"
    confidence = "HIGH"
    platforms = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)vaultcmd[.]exe$`) and
        re.regex($e.target.process.command_line, `(?i)/(listcreds|list)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)cmdkey[.]exe$`) and
        re.regex($e.target.process.command_line, `(?i)/list`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)rundll32[.]exe$`) and
        re.regex($e.target.process.command_line, `(?i)keymgr[.]dll`)
      ) or
      re.regex($e.target.process.command_line, `(?i)(Invoke-WCMDump|vault::cred|vault::list|dpapi::cred|Get-VaultCredential|CredEnumerateA|CredEnumerateW|KRShowKeyMgr)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder (Windows Event Logs) Chronicle Sysmon Ingestion Pipeline

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Automated IT compliance scripts enumerating stored credentials for audit purposes using vaultcmd or cmdkey on a scheduled basis
Password migration tooling leveraging keymgr.dll or CredEnumerate APIs to export and transfer credentials during workstation replacement projects
Security operations teams executing Mimikatz in isolated sandbox or malware analysis lab environments for threat research or training exercises

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(vaultcmd.*(\/listcreds|\/list)|cmdkey.*\/list|rundll32.*keymgr[.]dll|Invoke-WCMDump|vault::cred|vault::list|dpapi::cred|Get-VaultCredential|CredEnumerateA|CredEnumerateW|KRShowKeyMgr)/
| VaultEnum := if(CommandLine = /(?i)(vaultcmd|vault::list)/, 1, 0)
| CmdkeyEnum := if(CommandLine = /(?i)cmdkey.*\/list/, 1, 0)
| MimikatzVault := if(CommandLine = /(?i)(vault::cred|dpapi::cred)/, 1, 0)
| CredBackup := if(CommandLine = /(?i)keymgr[.]dll/, 1, 0)
| SuspicionScore := VaultEnum + CmdkeyEnum + (MimikatzVault * 3) + (CredBackup * 2)
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, VaultEnum, CmdkeyEnum, MimikatzVault, CredBackup, SuspicionScore])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent Falcon ProcessRollup2 Event Stream

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

Help desk automation workflows using cmdkey to configure persistent credentials for unattended RDP or file share access on managed endpoints
CrowdStrike Falcon itself or third-party EDR agents that enumerate Windows Credential Manager entries during endpoint posture assessment or credential hygiene checks
Developer workstations running integration test suites or CI pipeline scripts that invoke Windows credential management APIs for authentication testing against internal services

Windows Credential Manager

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections