Detect Windows Credential Manager in Elastic Security
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). Credentials are stored as encrypted .vcrd files under %Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\. Adversaries may enumerate credentials via vaultcmd.exe, cmdkey.exe, Windows APIs (CredEnumerateA), or extract credential backups via rundll32.exe keymgr.dll KRShowKeyMgr. Tools like Mimikatz (vault::cred, vault::list) and PowerSploit can also harvest Credential Manager contents.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.004 Windows Credential Manager
- Canonical reference
- https://attack.mitre.org/techniques/T1555/004/
Elastic Detection Query
process where host.os.type == "windows" and event.type == "start" and (
(process.name like~ "vaultcmd.exe" and (process.command_line like~ "*/listcreds*" or process.command_line like~ "*/list*")) or
(process.name like~ "cmdkey.exe" and process.command_line like~ "*/list*") or
(process.name like~ "rundll32.exe" and process.command_line like~ "*keymgr.dll*") or
process.command_line like~ "*Invoke-WCMDump*" or
process.command_line like~ "*vault::cred*" or
process.command_line like~ "*vault::list*" or
process.command_line like~ "*dpapi::cred*" or
process.command_line like~ "*Get-VaultCredential*" or
process.command_line like~ "*CredEnumerateA*" or
process.command_line like~ "*CredEnumerateW*" or
process.command_line like~ "*KRShowKeyMgr*"
)Detects Windows Credential Manager enumeration and harvesting using Elastic EQL over ECS-mapped process events. Matches vaultcmd.exe /listcreds and /list, cmdkey.exe /list, rundll32.exe loading keymgr.dll for credential backup extraction, Mimikatz vault::cred/vault::list/dpapi::cred module invocations, and PowerShell tools Invoke-WCMDump and Get-VaultCredential. Maps to MITRE ATT&CK T1555.004.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators or help desk staff running cmdkey /list or vaultcmd /list during credential troubleshooting or workstation provisioning workflows
- Enterprise password management or SSO provisioning tools programmatically calling CredEnumerateA/CredEnumerateW APIs to audit or migrate stored credentials
- Authorized red team or penetration testing operations executing credential access techniques within scoped and documented engagements
Other platforms for T1555.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate stored credentials with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details. Security Event ID 5379 if Credential Validation auditing is enabled.
- Test 2Enumerate vault credentials with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line.
- Test 3Export credential backup via keymgr.dll
Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine='rundll32.exe keymgr.dll,KRShowKeyMgr'. The GUI will open for user interaction.
References (6)
- https://attack.mitre.org/techniques/T1555/004/
- https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
- https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea
- https://www.passcape.com/windows_password_recovery_vault_explorer
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md
Unlock Pro Content
Get the full detection package for T1555.004 including response playbook, investigation guide, and atomic red team tests.