T1555.004 IBM QRadar · QRadar

Detect Windows Credential Manager in IBM QRadar

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). Credentials are stored as encrypted .vcrd files under %Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\. Adversaries may enumerate credentials via vaultcmd.exe, cmdkey.exe, Windows APIs (CredEnumerateA), or extract credential backups via rundll32.exe keymgr.dll KRShowKeyMgr. Tools like Mimikatz (vault::cred, vault::list) and PowerSploit can also harvest Credential Manager contents.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.004 Windows Credential Manager
Canonical reference
https://attack.mitre.org/techniques/T1555/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  hostname AS "Hostname",
  "Process Name" AS "Image",
  "Command" AS "CommandLine",
  "Parent Process Name" AS "ParentImage",
  CASE WHEN LOWER("Process Name") LIKE '%vaultcmd%' OR LOWER("Command") LIKE '%vault::list%' THEN 1 ELSE 0 END AS VaultEnum,
  CASE WHEN LOWER("Command") LIKE '%cmdkey%' AND LOWER("Command") LIKE '%/list%' THEN 1 ELSE 0 END AS CmdkeyEnum,
  CASE WHEN LOWER("Command") LIKE '%vault::cred%' OR LOWER("Command") LIKE '%dpapi::cred%' THEN 3 ELSE 0 END AS MimikatzScore,
  CASE WHEN LOWER("Command") LIKE '%keymgr.dll%' THEN 2 ELSE 0 END AS CredBackupScore
FROM events
WHERE LOGSOURCETYPEID IN (12, 352)
  AND (
    (LOWER("Process Name") LIKE '%vaultcmd.exe%' AND (LOWER("Command") LIKE '%/listcreds%' OR LOWER("Command") LIKE '%/list%'))
    OR (LOWER("Process Name") LIKE '%cmdkey.exe%' AND LOWER("Command") LIKE '%/list%')
    OR (LOWER("Process Name") LIKE '%rundll32.exe%' AND LOWER("Command") LIKE '%keymgr.dll%')
    OR LOWER("Command") LIKE '%invoke-wcmdump%'
    OR LOWER("Command") LIKE '%vault::cred%'
    OR LOWER("Command") LIKE '%vault::list%'
    OR LOWER("Command") LIKE '%dpapi::cred%'
    OR LOWER("Command") LIKE '%get-vaultcredential%'
    OR LOWER("Command") LIKE '%credenumeratea%'
    OR LOWER("Command") LIKE '%credenumeratew%'
    OR LOWER("Command") LIKE '%krshowkeymgr%'
  )
LAST 24 HOURS
high severity medium confidence

Detects Windows Credential Manager access in IBM QRadar using AQL against Windows Security (EventID 4688) and Sysmon (EventID 1) process creation log sources. Queries DSM-extracted Process Name and Command custom properties. Applies per-technique suspicion scoring to triage vault enumeration, cmdkey /list abuse, Mimikatz vault/dpapi modules, and keymgr.dll credential backup extraction. LOGSOURCETYPEID 12 = Windows Security Event Log, 352 = Microsoft Windows Sysmon.

Data Sources

Windows Security Event Log (EventID 4688)Microsoft Sysmon (EventID 1)

Required Tables

events (QRadar LOGSOURCETYPEID 12 - Windows Security, 352 - Sysmon)

False Positives & Tuning

  • Workstation provisioning or imaging scripts using cmdkey to pre-populate domain credentials for mapped drives or automated RDP session setup
  • IT administrators running vaultcmd for authorized credential inventory audits or tier-1 endpoint support tasks
  • Vulnerability scanners or EDR agents that enumerate Windows Credential Manager stores as part of endpoint posture telemetry collection
Download portable Sigma rule (.yml)

Other platforms for T1555.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate stored credentials with cmdkey

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details. Security Event ID 5379 if Credential Validation auditing is enabled.

  2. Test 2Enumerate vault credentials with vaultcmd

    Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line.

  3. Test 3Export credential backup via keymgr.dll

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine='rundll32.exe keymgr.dll,KRShowKeyMgr'. The GUI will open for user interaction.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.003Credentials from Web BrowsersT1003OS Credential DumpingT1003.004LSA SecretsT1552.002Credentials in RegistryT1021.001Remote Desktop Protocol

Same Tactic: Credential Access

Popular Detections