T1555.004: Windows Credential Manager
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.
Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.
Password recovery tools may also obtain plain text passwords from the Credential Manager.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected hacking_tools: PT-CR-3049: ToxicEye_Usage: Suspicious activity similar to the activity of the ToxicEye remote access trojan (RAT) that uses Telegram as a command-and-control server. Signs of suspicious activity: a DNS query to the Telegram API, creation of specific dynamic libraries, persistence in the system by creating a scheduled task or a copy of the process in another directory or by accessing files containing confidential data. mitre_attck_cred_access: PT-CR-765: Credential_Access_To_Passwords_Storage: Access to files containing credentials, payment information, web browsing history, bookmarks, or cookies (browsers, password managers, video conferencing applications)
Detection
| ID | DS0022 | Data source and component | File: File Access | Description | Consider monitoring file reads to Vault locations, |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Consider monitoring API calls such as |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. |
|---|
Mitigation
| ID | M1042 | Name | Disable or Remove Feature or Program | Description | Consider enabling the “Network access: Do not allow storage of passwords and credentials for network authentication” setting that will prevent network credentials from being stored by the Credential Manager. |
|---|