1. Home
  2. ATT&CK Techniques
  3. T1555
  4. T1555.004
Credential Access

T1555.004: Windows Credential Manager

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication t...

T1555.004 · Sub-technique ·1 platforms ·4 groups

Description

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)

Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.

Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)

Platforms

Windows

Mitigations (1)

Disable or Remove Feature or ProgramM1042

Consider enabling the “Network access: Do not allow storage of passwords and credentials for network authentication” setting that will prevent network credentials from being stored by the Credential Manager.(Citation: Microsoft Network access Credential Manager)

Threat Groups (4)

IDGroupContext
G0049OilRig[OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Man...
G0038Stealth Falcon[Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers passwords from the Windows Credential Vault.(Citation: Citizen Lab Stealth Fal...
G0010Turla[Turla](https://attack.mitre.org/groups/G0010) has gathered credentials from the Windows Credential Manager tool.(Citation: Symantec Waterbug Jun 2019...
G0102Wizard Spider[Wizard Spider](https://attack.mitre.org/groups/G0102) has used PowerShell cmdlet `Invoke-WCMDump` to enumerate Windows credentials in the Credential ...

Associated Software (9)

IDNameTypeContext
S0476ValakMalware[Valak](https://attack.mitre.org/software/S0476) can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager...
S0349LaZagneTool[LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from Vault files.(Citation: GitHub LaZagne Dec 2018)
S0681LizarMalware[Lizar](https://attack.mitre.org/software/S0681) has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd....
S0240ROKRATMalware[ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials by leveraging the Windows Vault mechanism.(Citation: Talos Group123)
S0629RainyDayMalware[RainyDay](https://attack.mitre.org/software/S0629) can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.(Citation: B...
S0692SILENTTRINITYTool[SILENTTRINITY](https://attack.mitre.org/software/S0692) can gather Windows Vault credentials.(Citation: GitHub SILENTTRINITY Modules July 2019)
S0002MimikatzTool[Mimikatz](https://attack.mitre.org/software/S0002) contains functionality to acquire credentials from the Windows Credential Manager.(Citation: Delpy...
S0526KGH_SPYMalware[KGH_SPY](https://attack.mitre.org/software/S0526) can collect credentials from the Windows Credential Manager.(Citation: Cybereason Kimsuky November ...
S0194PowerSploitTool[PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can harvest credentials from Windows vault c...

References

Frequently Asked Questions

What is T1555.004 (Windows Credential Manager)?

T1555.004 is a MITRE ATT&CK technique named 'Windows Credential Manager'. It belongs to the Credential Access tactic(s). Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication t...

How can T1555.004 be detected?

Detection of T1555.004 (Windows Credential Manager) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1555.004?

There are 1 documented mitigations for T1555.004. Key mitigations include: Disable or Remove Feature or Program.

Which threat groups use T1555.004?

Known threat groups using T1555.004 include: OilRig, Stealth Falcon, Turla, Wizard Spider.