1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores
  5. Windows Credential Manager

Credentials from Password Stores: Windows Credential Manager

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).[1][2]

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.[3][4]

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.[5][6]

Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the "Back up..." button on the "Stored User Names and Passwords" GUI.

Password recovery tools may also obtain plain text passwords from the Credential Manager.[4]

ID: T1555.004
Sub-technique of:  T1555
Tactic: Credential Access
Platforms: Windows
Contributors: Bernaldo Penas Antelo; Mugdha Peter Bansode; Uriel Kosayev; Vadim Khrykov
Version: 1.1
Created: 23 November 2020
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0526 KGH_SPY

KGH_SPY can collect credentials from the Windows Credential Manager.[7]
S0349 LaZagne

LaZagne can obtain credentials from Vault files.[8]

S0681 Lizar

Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.[9]
S0002 Mimikatz

Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.[6]
G0049 OilRig

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[10]
S0194 PowerSploit

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[11][12]
S0629 RainyDay

RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.[13]
S0240 ROKRAT

ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[14]
S0692 SILENTTRINITY

SILENTTRINITY can gather Windows Vault credentials.[15]

G0038 Stealth Falcon

Stealth Falcon malware gathers passwords from the Windows Credential Vault.[16]
G0010 Turla

Turla has gathered credentials from the Windows Credential Manager tool.[17]

S0476 Valak

Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.[18]
G0102 Wizard Spider

Wizard Spider has used PowerShell cmdlet Invoke-WCMDump to enumerate Windows credentials in the Credential Manager in a compromised network.[19]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.[20]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").[4]

Analytic 1 - Commands indicating credential searches in Windows Credential Manager.

index=security sourcetype="Powershell" EventCode=4104(CommandLine IN ("vaultcmd.exe", "rundll32.exe keymgr.dll KRShowKeyMgr"))
DS0022 File File Access

Consider monitoring file reads to Vault locations, %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\, for suspicious activity.[4]

Analytic 1 - Unauthorized access to Windows Vault credential files.

index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" event_type="file_access"(file_path IN ("%SystemDrive%\Users\\AppData\Local\Microsoft\Vault\\.vcrd", "%SystemDrive%\Users\\AppData\Local\Microsoft\Credentials\\.vcrd", "%SystemDrive%\Users\\AppData\Local\Microsoft\Vault\\Policy.vpol", "%SystemDrive%\Users\\AppData\Local\Microsoft\Credentials\\Policy.vpol"))
DS0009 Process OS API Execution

Consider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.[5][6]

Analytic 1 - Suspicious API calls related to Windows Credential Manager access.

index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" event_type="api_call"(api IN ("CredEnumerateA", "CredEnumerateW", "CredReadA", "CredReadW", "CryptUnprotectData"))
Process Creation

Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").[4]

Analytic 1 - New processes with parameters indicating credential searches in Windows Credential Manager.

index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1(CommandLine IN ("vaultcmd.exe", "rundll32.exe keymgr.dll KRShowKeyMgr"))

References

  1. Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.
  2. Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020.
  3. Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020.
  4. Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
  5. Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020.
  6. Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.
  7. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  8. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  9. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  10. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  1. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  2. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  3. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  4. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  5. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  6. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  7. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  8. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  9. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  10. Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020.