.. /
Cmdkey.exe
creates, lists, and deletes stored user names and passwords or credentials.
Paths:
- C:\Windows\System32\cmdkey.exe
- C:\Windows\SysWOW64\cmdkey.exe
Resources:
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
-
Detection:
Usage of this command could be an IOC
Credentials
List cached credentials
cmdkey /list
Usecase:Get credential information from host
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1078