Detect Credentials from Password Stores in Splunk
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval CredToolMatch=if(match(Image, "(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|browserpassview|webbrowserpassview)"), 1, 0)
| eval CredCmdMatch=if(match(CommandLine, "(cmdkey\s+/list|vaultcmd\s+/listcreds|security\s+dump-keychain|security\s+find-generic-password|security\s+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)"), 1, 0)
| where CredToolMatch=1 OR CredCmdMatch=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CredToolMatch, CredCmdMatch
| sort - _timeBroad detection for credential theft from password stores using Sysmon process creation events. Identifies known credential dumping tools and native OS commands for enumerating stored credentials across Windows Credential Manager, macOS Keychain, and browser databases.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators using cmdkey /list to audit stored credentials during maintenance windows
- Penetration testing teams running authorized credential audits with tools like LaZagne
- Security scanning tools that enumerate credential stores as part of vulnerability assessments
- System management scripts that check credential store health
Other platforms for T1555
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
- Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
- Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.
Unlock Pro Content
Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.