Esc
Windows Credential Manager - T1555.004
(ATT&CK® Technique)
Definition
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1555004["Windows Credential Manager"] --> |may-access| DatabaseFile["Database File"]; class T1555004 OffensiveTechniqueNode;
class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
click T1555004 href "/offensive-technique/attack/T1555.004/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; T1555004["Windows Credential Manager"] --> |accesses| PasswordStore["Password Store"]; class T1555004 OffensiveTechniqueNode;
class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
click T1555004 href "/offensive-technique/attack/T1555.004/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore";DecoyFile["Decoy File"] -->
| spoofs | DatabaseFile["Database File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1555004["Windows Credential Manager"] ;
class DecoyFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | DatabaseFile["Database File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1555004["Windows Credential Manager"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | DatabaseFile["Database File"];
FileEviction["File Eviction"] -.->
| may-evict | T1555004["Windows Credential Manager"] ;
class FileEviction DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | DatabaseFile["Database File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1555004["Windows Credential Manager"] ;
class FileEncryption DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | DatabaseFile["Database File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1555004["Windows Credential Manager"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | DatabaseFile["Database File"];
RestoreFile["Restore File"] -.->
| may-restore | T1555004["Windows Credential Manager"] ;
class RestoreFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | PasswordStore["Password Store"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1555004["Windows Credential Manager"] ;
class RestoreDatabase DefensiveTechniqueNode;
class PasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | DatabaseFile["Database File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1555004["Windows Credential Manager"] ;
class FileAnalysis DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | DatabaseFile["Database File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1555004["Windows Credential Manager"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";