← Back to Explore
T1555.004
Windows Credential Manager
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker) The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [C...
Windows
8
Detections
3
Sources
4
Threat Actors
BY SOURCE
4sigma3elastic1splunk_escu
PROCEDURES (5)
Mimikatz2 detections
Auto-extracted: 2 detections for mimikatz
Lateral2 detections
Auto-extracted: 2 detections for lateral
Process Creation Monitoring2 detections
Auto-extracted: 2 detections for process creation monitoring
Dump1 detections
Auto-extracted: 1 detections for dump
Api1 detections
Auto-extracted: 1 detections for api
THREAT ACTORS (4)
DETECTIONS (8)
Access To Windows Credential History File By Uncommon Applications
sigmamedium
Access To Windows DPAPI Master Keys By Uncommon Applications
sigmamedium
Multiple Vault Web Credentials Read
elasticmedium
Potential Credential Access via Trusted Developer Utility
elastichigh
Searching for Saved Credentials via VaultCmd
elasticmedium
Suspicious Key Manager Access
sigmahigh
Windows Credential Manager Access via VaultCmd
sigmamedium
Windows Credentials Access via VaultCli Module
splunk_escu