Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as <code>CredEnumerateA</code>, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running <code>rundll32.exe keymgr.dll KRShowKeyMgr</code> then selecting the “Back up…” button on the “Stored User Names and Passwords” GUI.
Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1555.004 | Windows Credential Manager | |
| IA-05 | Authenticator Management | mitigates | T1555.004 | Windows Credential Manager | |
| CM-02 | Baseline Configuration | mitigates | T1555.004 | Windows Credential Manager | |
| CM-07 | Least Functionality | mitigates | T1555.004 | Windows Credential Manager | |
| SI-04 | System Monitoring | mitigates | T1555.004 | Windows Credential Manager |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1555.004 | Windows Credential Manager | |
| attribute.confidentiality.data_disclosure | None | related-to | T1555.004 | Windows Credential Manager |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1555.004 | Windows Credential Manager |
Comments
This control can detect command execution associated with this technique.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1555.004 | Windows Credential Manager |
Comments
This control's "Malicious request of Data Protection API master key (external ID 2020)" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. Windows Credential Manager utilizes DPAPI to securely store sensitive information like passwords. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.
References
|