title: Windows Credential Manager Access via VaultCmd
id: 58f50261-c53b-4c88-bd12-1d71f12eda4c
status: experimental
description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe 
author: frack113
date: 2022/04/08
modified: 2022/05/13
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\VaultCmd.exe'
        - OriginalFileName: 'VAULTCMD.EXE'
    selection_cli:
        CommandLine|contains: '/listcreds:'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
tags:
    - attack.credential_access
    - attack.t1555.004