Credentials from Password Stores: Windows Credential Manager
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted
.vcrd files, located under
%Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\. The encryption key can be found in a file named
Policy.vpol, typically located in the same folder as the credentials.
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms.
vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as
CredEnumerateA to list credentials managed by the Credential Manager.
Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.
|M1042||Disable or Remove Feature or Program||
Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.
Monitor process and command-line parameters of
vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e.,
vaultcmd /listcreds:"Windows Credentials").
Consider monitoring file reads to Vault locations,
%Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\, for suspicious activity.
- Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.
- Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020.
- Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020.
- Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
- Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020.
- Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020.