VaultCmd.exe

  • File Path: C:\Windows\system32\VaultCmd.exe
  • Description: Vault cmdline Program

Hashes

Type Hash
MD5 24AD59DBE3B726704E1444C83F6CEF06
SHA1 52C21668784B9FB9D3B53B16EE517A0B221C8A82
SHA256 9E68FCF6FD1104BBD1CA47BB36347ABC621329924F880B75793638AF04DC607E
SHA384 52FA6970A00986CF3C57A5D4FDFE1F3AB517CE7711F506A39902983254A6AC8EB2DC43669B8B7E92B6A198ADABDFA00F
SHA512 B8C1F49716CEDD9D60799B827948E401D0FEA6DE3AF5BDC8FA157E9C97F5A4B3767C98EBDFA22F72972202A4C9806EFBB823BD72AC7F9A55183C879ECF7394D3
SSDEEP 384:aFkTw4jG7MLuUSuky8aRT9gcBIWGfPYwC+1ESMCmqOORy1RCVYxX530vB+WMFW:aEGMqUSukIxxoYwP1EGvy+WxX530vBs
IMP 53455FAA9B96202832E76BC0279ED4D5
PESHA1 CAE9EF5C7FECD83B03DDA966490068E13972A1BA
PE256 11FC40546F9A30427A253F006A462FB51626C7977EBF1E0121850D81D93ADC78

Runtime Data

Usage (stdout):

Creates, displays and deletes stored credentials.
Following commands are supported.Use VaultCmd /<command> /? for further help 
VaultCmd /list
VaultCmd /listschema
VaultCmd /listcreds
VaultCmd /addcreds
VaultCmd /deletecreds
VaultCmd /listproperties
VaultCmd /sync

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\VaultCmd.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: VAULTCMD.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/9e68fcf6fd1104bbd1ca47bb36347abc621329924f880b75793638af04dc607e/detection/

Possible Misuse

The following table contains possible examples of VaultCmd.exe being misused. While VaultCmd.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma posh_ps_enumerate_password_windows_credential_manager.yml - vaultcmd DRL 1.0
atomic-red-team index.md - Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows] MIT License. © 2018 Red Canary
atomic-red-team T1555.md - Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] MIT License. © 2018 Red Canary
atomic-red-team T1555.md - Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] MIT License. © 2018 Red Canary
atomic-red-team T1555.md ## Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] MIT License. © 2018 Red Canary
atomic-red-team T1555.md This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1555.md vaultcmd /listcreds:”Windows Credentials” /all MIT License. © 2018 Red Canary
atomic-red-team T1555.md ## Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] MIT License. © 2018 Red Canary
atomic-red-team T1555.md This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1555.md vaultcmd /listcreds:”Web Credentials” /all MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.