Esc
Windows Credential Manager - T1555.004

(ATT&CK® Technique)
Definition

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1555004["Windows Credential Manager"] --> |accesses| PasswordStore["Password Store"]; class T1555004 OffensiveTechniqueNode;
        class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
        click T1555004 href "/offensive-technique/attack/T1555.004/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore"; T1555004["Windows Credential Manager"] --> |may-access| DatabaseFile["Database File"]; class T1555004 OffensiveTechniqueNode;
        class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
        click T1555004 href "/offensive-technique/attack/T1555.004/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";DecoyFile["Decoy File"] -->
          | spoofs | DatabaseFile["Database File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1555004["Windows Credential Manager"] ;
          class DecoyFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | DatabaseFile["Database File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1555004["Windows Credential Manager"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | DatabaseFile["Database File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1555004["Windows Credential Manager"] ;
          class FileEviction DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | DatabaseFile["Database File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1555004["Windows Credential Manager"] ;
          class FileEncryption DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | DatabaseFile["Database File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1555004["Windows Credential Manager"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ContentModification["Content Modification"] -->
          | modifies | DatabaseFile["Database File"];

          ContentModification["Content Modification"] -.->
            | may-isolate | T1555004["Windows Credential Manager"] ;
          class ContentModification DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
          | quarantines | DatabaseFile["Database File"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1555004["Windows Credential Manager"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click ContentQuarantine href "/technique/d3f:ContentQuarantine";  RestoreDatabase["Restore Database"] -->
          | restores | PasswordStore["Password Store"];

          RestoreDatabase["Restore Database"] -.->
            | may-restore | T1555004["Windows Credential Manager"] ;
          class RestoreDatabase DefensiveTechniqueNode;
          class PasswordStore ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
          | restores | DatabaseFile["Database File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1555004["Windows Credential Manager"] ;
          class RestoreFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | DatabaseFile["Database File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1555004["Windows Credential Manager"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
          | filters | DatabaseFile["Database File"];

          ContentFiltering["Content Filtering"] -.->
            | may-isolate | T1555004["Windows Credential Manager"] ;
          class ContentFiltering DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | DatabaseFile["Database File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1555004["Windows Credential Manager"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json