Skip to content

DET0134 Detect Suspicious Access to Windows Credential Manager

Item Value
ID DET0134
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1555.004 (Windows Credential Manager)

Analytics

Windows

AN0378

Detects unauthorized access to Windows Credential Manager through anomalous process execution (vaultcmd.exe, rundll32.exe keymgr.dll), suspicious API calls (CredEnumerateA), or direct file access to Credential Locker files. Correlates process creation with subsequent file reads of .vcrd/.vpol files under user Credential Locker directories.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Mutable Elements
Field Description
MonitoredPaths Credential Locker paths such as %Systemdrive%\Users*\AppData\Local\Microsoft\Credentials and %Systemdrive%\Users*\AppData\Local\Microsoft\Vault
TimeWindow Correlation window between process execution, file access, and API calls
PrivilegedUsers Baseline of expected administrative/service accounts with legitimate Credential Manager access