VaultCmd.exe

File Path: C:\Windows\system32\VaultCmd.exe
Description: Vault cmdline Program

Hashes

Type	Hash
MD5	`306E548A802A8FFCD6D5360CD13D6612`
SHA1	`69DC9047C73056C061EBE259F16985C9EABA166C`
SHA256	`52BE7172716ABBC00F6190D27C24FAC24E6A871E4E6BFEA608E50D254737FC59`
SHA384	`81A5B73D87BC54DB8FA650D2E96DC551371C4F5E5A2989751214C3D67494F8906112764DA0F4E032A08076D2536BA5D4`
SHA512	`8B309B01B8FEA58823178B587332A72B1C62F6EA15D0814041B4510622C2A790B3CA995AFC04DD0F38713C430A0983F03CB57DFADC377394E19B2CD48745424D`
SSDEEP	`384:6HP+BIhjOAVnyluGSkhJrefbHjcN5GMuetruHIp7bYjAVkBNWYFW:EP7XVnyQGS08fbDcLGPeKo8jAqBZ`

Runtime Data

Usage (stdout):

Creates, displays and deletes stored credentials.
Following commands are supported.Use VaultCmd /<command> /? for further help 
VaultCmd /list
VaultCmd /listschema
VaultCmd /listcreds
VaultCmd /addcreds
VaultCmd /deletecreds
VaultCmd /listproperties
VaultCmd /sync

Signature

Status: Signature verified.
Serial: 33000000BCE120FDD27CC8EE930000000000BC
Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: VAULTCMD.EXE.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.14393.0 (rs1_release.160715-1616)
Product Version: 10.0.14393.0
Language: English (United States)

Possible Misuse

The following table contains possible examples of VaultCmd.exe being misused. While VaultCmd.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	posh_ps_enumerate_password_windows_credential_manager.yml	`- vaultcmd`	DRL 1.0
atomic-red-team	index.md	- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	- Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	- Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	## Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	vaultcmd /listcreds:”Windows Credentials” /all	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	## Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1555.md	vaultcmd /listcreds:”Web Credentials” /all	MIT License. © 2018 Red Canary