Detect Credentials from Password Stores in Microsoft Sentinel
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/
KQL Detection Query
let CredentialTools = dynamic(["mimikatz", "lazagne", "credentialfileview", "vaultpasswordview", "netpass", "nirsoft", "keethief", "dumperts", "browserpassview", "webbrowserpassview", "mailpassview", "chromiumpassworddecryptor", "creddump"]);
let CredentialCommands = dynamic(["cmdkey /list", "vaultcmd /listcreds", "security dump-keychain", "security find-generic-password", "security find-internet-password", "rundll32.exe keymgr.dll", "CryptUnprotectData", "CredEnumerateA", "CredEnumerateW", "SecKeychainFindInternetPassword", "dpapi::cred", "vault::list", "vault::cred"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (CredentialCommands)
or FileName has_any (CredentialTools)
or InitiatingProcessFileName has_any (CredentialTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp descBroad detection for credential harvesting from password stores across Windows, macOS, and Linux. Monitors for known credential theft tools (Mimikatz, LaZagne, NirSoft utilities, KeeThief) and native OS commands used to enumerate or dump credentials from system password stores including Windows Credential Manager, macOS Keychain, and browser credential databases.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators using cmdkey /list to audit stored credentials during maintenance windows
- macOS developers or sysadmins legitimately querying Keychain via the security command-line tool
- Penetration testing teams running authorized credential audits with tools like LaZagne
- Password manager applications performing legitimate credential operations
Other platforms for T1555
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
- Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
- Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.
Unlock Pro Content
Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.