Detects unauthorized access to Windows Credential Manager through anomalous process execution (vaultcmd.exe, rundll32.exe keymgr.dll), suspicious API calls (CredEnumerateA), or direct file access to Credential Locker files. Correlates process creation with subsequent file reads of .vcrd/.vpol files under user Credential Locker directories.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| MonitoredPaths | Credential Locker paths such as %Systemdrive%\Users\*\AppData\Local\Microsoft\Credentials and %Systemdrive%\Users\*\AppData\Local\Microsoft\Vault |
| TimeWindow | Correlation window between process execution, file access, and API calls |
| PrivilegedUsers | Baseline of expected administrative/service accounts with legitimate Credential Manager access |