Windows Credential Manager is the built-in vault that stores credentials users save: web logins, network share passwords, and Remote Desktop credentials. It keeps them in Web and Windows vaults, protected by DPAPI. An attacker running as the user (or with their DPAPI master key) can read the saved credentials back as cleartext, collecting passwords to shares, sites, and remote systems. It is a quick, high-value harvest once a user is compromised.
What Credential Manager is
Credential Manager is the Windows feature that remembers passwords so users do not retype them, for websites (Web Credentials) and for Windows resources like file shares and RDP connections (Windows Credentials).
The stored secrets are protected with DPAPI, tied to the user. That protection is exactly as strong as the user’s context, so anyone who can act as the user can ask Credential Manager to give the secrets back.
The abuse and payload
In a compromised user’s session, the attacker reads the vault:
- List saved credentials:
cmdkey /listandvaultcmd /listcreds:"Windows Credentials" /all. - Decrypt them with a DPAPI-aware credential tool (
vault::cred,dpapi::cred) to recover cleartext share, RDP, and web passwords. - Saved RDP and share credentials often point straight at other hosts, fueling lateral movement.
Documented techniques shown for defenders.
How to defend
- Discourage saving credentials for privileged shares and remote connections via policy.
- Limit local admin and enable [Credential Guard](/learn/active-directory/what-is-credential-guard) to make user-context theft harder.
- Use just-in-time access rather than long-lived saved credentials to sensitive systems.
- Keep privileged accounts off ordinary workstations so their credentials are never saved there.
- Detect bulk vault/credential reads.
References
- [1]MITRE ATT&CK: Credentials from Password Stores (T1555)(MITRE)
- [2]Microsoft: Credential Manager API(Microsoft)
- [3]MITRE ATT&CK: Credential Access (TA0006)(MITRE)