Stored credentials exported using credwiz.exe

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores (T1555)
Severity	Low

Attackers may abuse the credwiz tool to export stored accounts.

An attacker may attempt to gain higher privileges.

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores (T1555)
Severity	Medium

Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function.

An attacker may attempt to gain higher privileges.

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Attackers may abuse the credwiz tool to export stored accounts over RDP.

An attacker may attempt to gain higher privileges.

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores (T1555)
Severity	Low

Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool.

An attacker may attempt to gain higher privileges.

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.