Detect Credentials from Password Stores in Elastic Security
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/
Elastic Detection Query
process where event.type == "start" and (
process.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
or process.command_line : ("*cmdkey* /list*", "*vaultcmd* /listcreds*", "*security* dump-keychain*", "*security* find-generic-password*", "*security* find-internet-password*", "*rundll32*keymgr.dll*", "*CryptUnprotectData*", "*CredEnumerateA*", "*CredEnumerateW*", "*SecKeychainFindInternetPassword*", "*dpapi::cred*", "*vault::list*", "*vault::cred*")
or process.parent.name : ("mimikatz.exe", "lazagne.exe", "credentialfileview.exe", "vaultpasswordview.exe", "netpass.exe", "keethief.exe", "dumperts.exe", "browserpassview.exe", "webbrowserpassview.exe", "mailpassview.exe", "chromiumpassworddecryptor.exe", "creddump.exe")
)Detects execution of known credential harvesting tools targeting password stores (T1555). Matches on process name, command-line arguments referencing credential enumeration APIs and CLI commands, and parent process names of known tools. Covers Mimikatz vault/DPAPI modules, LaZagne, NirSoft credential viewers, KeeThief, and native Windows/macOS credential CLI commands.
Data Sources
Required Tables
False Positives & Tuning
- Security auditing tools run by IT operations (e.g., CyberArk, BeyondTrust discovery agents) may invoke CredEnumerate APIs legitimately.
- Password manager installers or update processes (Bitwarden, 1Password) may use find-generic-password on macOS during vault migration.
- Penetration testing engagements where LaZagne or Mimikatz are used under an authorised scope — correlate with change-window tickets.
Other platforms for T1555
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
- Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
- Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.
Unlock Pro Content
Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.