Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Attacking Windows Credential Manager

Overview

Windows Credential Manager is a built-in feature (since Server 2008 R2 / Windows 7) that allows users and applications to securely store credentials for other systems and websites. Credentials are stored in encrypted folders protected by DPAPI.

Credential Storage Locations

PathScope
%UserProfile%\AppData\Local\Microsoft\Vault\User
%UserProfile%\AppData\Local\Microsoft\Credentials\User
%UserProfile%\AppData\Roaming\Microsoft\Vault\User
%ProgramData%\Microsoft\Vault\System
%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\System

Each vault contains a Policy.vpol file with AES keys (AES-128/256) protected by DPAPI. Credential Guard (newer Windows) further protects DPAPI master keys using VBS (Virtualization-based Security).

Credential Types

TypeDescription
Web CredentialsCredentials for websites/online accounts (used by IE and legacy Edge)
Windows CredentialsLogin tokens for services (OneDrive), domain users, network resources, shared directories

Enumeration with cmdkey

List stored credentials for the current user:

cmdkey /list

Output fields:

FieldDescription
TargetResource/account name (computer, domain, or identifier)
TypeCredential kind: Generic (general) or Domain Password (domain logon)
UserAssociated user account
PersistenceLocal machine persistence = survives reboots

Impersonation with runas

When a Domain:interactive= credential is found, impersonate the stored user:

runas /savecred /user:DOMAIN\username cmd

Exporting Vaults

Export via GUI:

rundll32 keymgr.dll,KRShowKeyMgr

Exports are password-encrypted .crd files, importable on other Windows systems.

Credential Extraction with Mimikatz

Dump credentials from LSASS memory using the sekurlsa module:

mimikatz # privilege::debug
mimikatz # sekurlsa::credman

Alternative: manually decrypt using the dpapi module.

ToolDescription
MimikatzWindows credential extraction and manipulation
SharpDPAPIC# implementation for DPAPI attacks
LaZagneMulti-platform credential recovery
DonPAPIRemote DPAPI credential extraction

MITRE ATT&CK Reference