ID | Name |
---|---|
T1555.001 | Keychain |
T1555.002 | Securityd Memory |
T1555.003 | Credentials from Web Browsers |
T1555.004 | Windows Credential Manager |
T1555.005 | Password Managers |
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).[1][2]
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted .vcrd
files, located under %Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\
. The encryption key can be found in a file named Policy.vpol
, typically located in the same folder as the credentials.[3][4]
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe
is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA
to list credentials managed by the Credential Manager.[5][6]
Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.[4]
ID | Name | Description |
---|---|---|
S0526 | KGH_SPY |
KGH_SPY can collect credentials from the Windows Credential Manager.[7] |
S0349 | LaZagne | |
S0681 | Lizar |
Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using |
S0002 | Mimikatz |
Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.[6] |
G0049 | OilRig |
OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[10] |
S0194 | PowerSploit |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[11][12] |
S0629 | RainyDay |
RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.[13] |
S0240 | ROKRAT |
ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[14] |
S0692 | SILENTTRINITY |
SILENTTRINITY can gather Windows Vault credentials.[15] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers passwords from the Windows Credential Vault.[16] |
G0010 | Turla |
Turla has gathered credentials from the Windows Credential Manager tool.[17] |
S0476 | Valak |
Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.[18] |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.[19] |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0009 | Process | OS API Execution |
Process Creation |
Monitor process and command-line parameters of vaultcmd.exe
for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:"Windows Credentials"
).[4]
Consider monitoring API calls such as CredEnumerateA
that may list credentials from the Windows Credential Manager.[5][6]
Consider monitoring file reads to Vault locations, %Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\
, for suspicious activity.[4]