T1555 CrowdStrike LogScale · LogScale

Detect Credentials from Password Stores in CrowdStrike LogScale

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Canonical reference
https://attack.mitre.org/techniques/T1555/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| eval img_lower = lowercase(ImageFileName)
| eval cmd_lower = lowercase(CommandLine)
| eval parent_lower = lowercase(ParentBaseFileName)
| eval tool_match = if(
    match(img_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "tool_name",
    ""
  )
| eval cmd_match = if(
    match(cmd_lower, regex="(cmdkey[\\s]+/list|vaultcmd[\\s]+/listcreds|security[\\s]+dump-keychain|security[\\s]+find-generic-password|security[\\s]+find-internet-password|rundll32.*keymgr\\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)"),
    "cmd_pattern",
    ""
  )
| eval parent_match = if(
    match(parent_lower, regex="(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)"),
    "parent_tool",
    ""
  )
| where tool_match != "" OR cmd_match != "" OR parent_match != ""
| eval match_reason = array_concat(
    if(tool_match != "", [tool_match], []),
    if(cmd_match != "", [cmd_match], []),
    if(parent_match != "", [parent_match], [])
  )
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, match_reason]
| sort @timestamp desc
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting password store credential harvesting via ProcessRollup2 events. Evaluates tool name match on the process image path, command-line pattern match for known credential enumeration commands and API names, and parent process name match for child processes of known tools. Produces a match_reason array to assist triage by identifying which detection signal fired.

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 telemetryFalcon Data Replicator (FDR) streaming to LogScaleLogScale Falcon Insight log source

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or third-party EDR agents that enumerate credentials during process injection prevention checks — typically run as SYSTEM with a signed parent.
  • Enterprise single-sign-on helpers (OKTA Device Trust, Duo Authentication for Windows) that call CredEnumerateW to locate stored SSO tokens during login.
  • Developer tooling such as Git Credential Manager or AWS CLI credential helper that invoke native credential store APIs to retrieve repository or cloud credentials from Windows Credential Manager.
Download portable Sigma rule (.yml)

Other platforms for T1555

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Windows Credential Manager with cmdkey

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.

  2. Test 2Enumerate Windows Vault with vaultcmd

    Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.

  3. Test 3Dump macOS Keychain credentials

    Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management StoresT1003OS Credential DumpingT1539Steal Web Session CookieT1552.002Credentials in RegistryT1110.001Password Guessing

Same Tactic: Credential Access

Popular Detections