Detect Credentials from Password Stores in IBM QRadar
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
sourceip AS "Source IP",
username AS "Username",
"Process Name" AS "Process Name",
"Command" AS "Command Line",
"Parent Process Name" AS "Parent Process"
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND EventID IN (1, 4688)
AND (
LOWER("Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
OR LOWER("Command") MATCHES '(cmdkey[\s]+/list|vaultcmd[\s]+/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)'
OR LOWER("Parent Process Name") MATCHES '(mimikatz|lazagne|credentialfileview|vaultpasswordview|keethief|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)'
)
ORDER BY starttime DESC
LAST 24 HOURSAQL rule for IBM QRadar detecting credential harvesting tool execution and credential store enumeration commands. Queries Windows Security Event Log (EventID 4688 — process creation) and Sysmon (EventID 1) log sources. Matches against known tool names in the process image path and known credential-access command patterns in the command-line field.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise password vault agents (CyberArk CPM, Delinea) that enumerate Windows Credential Manager entries during reconciliation cycles.
- Custom PowerShell scripts used by helpdesk to list stored credentials with cmdkey /list during troubleshooting sessions.
- Security awareness / red team simulation platforms (e.g., AttackIQ, Cymulate) that execute credential access scenarios in test environments.
Other platforms for T1555
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
- Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
- Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.
Unlock Pro Content
Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.