T1555 Sumo Logic CSE · Sumo

Detect Credentials from Password Stores in Sumo Logic CSE

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Canonical reference
https://attack.mitre.org/techniques/T1555/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="WinEventLog")
| where EventCode in ("1", "4688")
| eval cmd_lower = toLowerCase(CommandLine)
| eval img_lower = toLowerCase(Image)
| eval parent_lower = toLowerCase(ParentImage)
| where (
    img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR parent_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/"
    OR cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/"
  )
| eval tool_match = if(img_lower matches "/(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)/", 1, 0)
| eval cmd_match = if(cmd_lower matches "/(cmdkey[\s]+\/list|vaultcmd[\s]+\/listcreds|security[\s]+dump-keychain|security[\s]+find-generic-password|security[\s]+find-internet-password|rundll32.*keymgr\.dll|cryptunprotectdata|credenumeratea|credenumeratew|dpapi::cred|vault::list|vault::cred)/", 1, 0)
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, tool_match, cmd_match
| sort by _messageTime desc
high severity high confidence

Sumo Logic search query detecting credential harvesting tool execution and password store enumeration commands from Windows Sysmon (EventID 1) and Security Event Log (EventID 4688) sources. Uses regex matching on process image names and command-line strings to identify both known tool names and credential-access API/CLI patterns. Includes match classification fields to differentiate tool-name hits from command-line hits.

Data Sources

Sumo Logic Windows Source (Sysmon EventID 1)Sumo Logic Windows Source (Security EventID 4688)Sumo Logic Installed Collector on Windows endpoints

Required Tables

Windows Event Log source (WinEventLog or Sysmon)Sumo Logic CSE normalized process schema

False Positives & Tuning

  • IT asset discovery solutions (Lansweeper, PDQ Inventory) that enumerate credential stores as part of software inventory scans.
  • macOS Jamf or Munki management agents invoking `security find-generic-password` to verify keychain entries during managed app installs.
  • Chrome or Edge browser updates that internally access Windows Credential Manager to migrate saved passwords — triggers on process arguments.
Download portable Sigma rule (.yml)

Other platforms for T1555

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Windows Credential Manager with cmdkey

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.

  2. Test 2Enumerate Windows Vault with vaultcmd

    Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.

  3. Test 3Dump macOS Keychain credentials

    Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management StoresT1003OS Credential DumpingT1539Steal Web Session CookieT1552.002Credentials in RegistryT1110.001Password Guessing

Same Tactic: Credential Access

Popular Detections