216.73.217.22

T1555.004: T1555.004

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/04/2026 16:45

Essential information

MITRE technique ID
T1555.004
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/04/2026 16:45
Author / Source
The MITRE Corporation

Aliases

Windows Credential Manager

Platforms

windows

Description

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker) The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker. Credential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\`. The encryption key can be found in a file named `Policy.vpol`, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault) Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. `vaultcmd.exe` is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as `CredEnumerateA`, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager) Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running `rundll32.exe keymgr.dll KRShowKeyMgr` then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI. Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)

Kill chain phases

Kill chainPhase
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

  • Stealth Falcon uses
    The MITRE Corporation Confidence 100

    [Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Wizard Spider uses TEMP.MixMasterGrim Spider
    The MITRE Corporation Confidence 100

    [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • OilRig uses COBALT GYPSYIRN2
    The MITRE Corporation Confidence 100

    [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Trigona uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:05 · Modified 21/12/2025 03:03
  • Rhantus uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/04/2026 16:45 · Modified 27/04/2026 16:45
  • SnakeKeylogger uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:02 · Modified 21/12/2025 13:02
  • Turla uses IRON HUNTERGroup 88
    The MITRE Corporation Confidence 100

    [Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • UNK_DeadDrop uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 09/06/2026 10:58 · Modified 09/06/2026 10:58

Malware (31)

  • RisePro uses
    Family
    Published 16/12/2024 23:06 · Modified 16/12/2024 23:06
  • Sha1-Hulud uses
    Family
    Published 27/11/2025 14:13 · Modified 27/11/2025 14:13
  • FlexibleFerret uses
    Family
    Published 08/06/2026 10:05 · Modified 08/06/2026 10:05
  • EDDIESTEALER uses
    Family
    Published 18/06/2025 12:27 · Modified 18/06/2025 12:27
  • HRSword uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • DumpGuard uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • RokRAT uses
    Family
    Published 05/02/2025 16:10 · Modified 05/02/2025 16:10
  • ParsVbs uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • PCHunter uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • RainyDay
  • StartBat uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Invisible Ferret uses
    Family
    Published 08/06/2026 10:05 · Modified 08/06/2026 10:05
  • GoGra uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • KGH_SPY
  • PowerRun uses
    Family
    Published 13/05/2026 09:08 · Modified 13/05/2026 09:08
  • uploader_client.exe uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Valak
  • uploader_client
  • OtterCookie uses
    Family
    Published 08/06/2026 10:05 · Modified 08/06/2026 10:05
  • mimikatz uses
    Family
    Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
  • StpProcessMonitorByovd uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Overlord uses
    Family
    Published 08/06/2026 10:05 · Modified 08/06/2026 10:05
  • Lizar
  • YDark uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Trigona uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • PrivateLoader uses
    Family
    Published 14/01/2025 15:22 · Modified 14/01/2025 15:22
  • AnyDesk uses
    Family
    Published 10/06/2026 11:58 · Modified 10/06/2026 11:58
  • MalExtractor uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Volgmer - S0180 uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • WKTools uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • SnakeKeylogger uses
    Family
    Published 24/04/2025 13:40 · Modified 24/04/2025 13:40

Reports (4)

Attack patterns (MITRE) (1)

  • T1555 subtechnique-of
    Credentials from Password Stores

Course Of Action (1)

  • Disable or Remove Feature or Program mitigates

Tool (4)

  • Mimikatz uses
    The MITRE Corporation Confidence 100

    [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …

    Published 31/05/2017 23:32 · Modified 27/03/2026 01:07
  • LaZagne uses
    The MITRE Corporation Confidence 100

    [LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows …

    Published 30/01/2019 17:44 · Modified 27/03/2026 01:07
  • PowerSploit uses
    The MITRE Corporation Confidence 100

    [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code …

    Published 18/04/2018 19:59 · Modified 27/03/2026 01:07
  • SILENTTRINITY uses
    The MITRE Corporation Confidence 100

    [SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a …

    Published 23/03/2022 20:34 · Modified 27/03/2026 01:07

Campaign (1)

  • Juicy Mix uses