cmdkey.exe

  • File Path: C:\windows\SysWOW64\cmdkey.exe
  • Description: Credential Manager Command Line Utility

Hashes

Type Hash
MD5 CA4A0211480D05369EFEBF85D94CCE6A
SHA1 14FF29ED8B8963F0BE76ADBCAC1324CB25F68FD1
SHA256 DF4B35DC5C0D2DBDCB9335CCA97D95BEA5BB1C1E78D9249E6ABBE3F6BC57E81E
SHA384 412EFE9B29D53E7FD6CD938A28B30B7E82893C7D2D611C24B16FF87885E4289F7DC0AABCB3238A0549B1AF2CC2993954
SHA512 EF201A2E94BD6FF82D099DDF4B57C1D3EFBF031C7759CB0CE658BCA4AEFDDAC26D2C03B40575C5B463BD5FA0AC9A2414E27F3266F7EA8627267AEADFE6EFF1B7
SSDEEP 192:1A+Q8+sb+AOVucD1RkLt3fipX2fz3c2Tp9S9YNbB93DLkNWlwWsz:1A++M+9VbRzXJ41LONWlwW

Signature

  • Status: The file C:\windows\SysWOW64\cmdkey.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: cmdkey.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of cmdkey.exe being misused. While cmdkey.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cmdkey_recon.yml title: Cmdkey Cached Credentials Recon DRL 1.0
sigma proc_creation_win_cmdkey_recon.yml description: Detects usage of cmdkey to look for cached credentials DRL 1.0
sigma proc_creation_win_cmdkey_recon.yml - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation DRL 1.0
sigma proc_creation_win_cmdkey_recon.yml Image\|endswith: '\cmdkey.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - Image\|endswith: '\cmdkey.exe' DRL 1.0
sigma proc_creation_win_mstsc.yml Image\|endswith: \cmdkey.exe DRL 1.0
LOLBAS Cmdkey.yml Name: Cmdkey.exe  
LOLBAS Cmdkey.yml - Command: cmdkey /list  
LOLBAS Cmdkey.yml - Path: C:\Windows\System32\cmdkey.exe  
LOLBAS Cmdkey.yml - Path: C:\Windows\SysWOW64\cmdkey.exe  
LOLBAS Cmdkey.yml - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation  
LOLBAS Cmdkey.yml - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey  
atomic-red-team T1021.001.md cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password MIT License. © 2018 Red Canary
atomic-red-team T1087.001.md cmdkey.exe /list MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


cmdkey

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Creates, lists, and deletes stored user names and passwords or credentials.

Syntax

cmdkey [{/add:<targetname>|/generic:<targetname>}] {/smartcard | /user:<username> [/pass:<password>]} [/delete{:<targetname> | /ras}] /list:<targetname>

Parameters

Parameters Description
/add:<targetname> Adds a user name and password to the list.<p>Requires the parameter of <targetname> which identifies the computer or domain name that this entry will be associated with.
/generic:<targetname> Adds generic credentials to the list.<p>Requires the parameter of <targetname> which identifies the computer or domain name that this entry will be associated with.
/smartcard Retrieves the credential from a smart card. If more than one smart card is found on the system when this option is used, cmdkey displays information about all available smart cards, and then prompts the user to specify which one to use.
/user:<username> Specifies the user or account name to store with this entry. If <username> isn’t supplied, it will be requested.
/pass:<password> Specifies the password to store with this entry. If <password> isn’t supplied, it will be requested. Passwords are not displayed after they’re stored.
/delete:{<targetname> \| /ras} Deletes a user name and password from the list. If <targetname> is specified, that entry is deleted. If /ras is specified, the stored remote access entry is deleted.
/list:<targetname> Displays the list of stored user names and credentials. If <targetname> isn’t specified, all stored user names and credentials are listed.
/? Displays help at the command prompt.

Examples

To display a list of all user names and credentials that are stored, type:

cmdkey /list

To add a user name and password for user Mikedan to access computer Server01 with the password Kleo, type:

cmdkey /add:server01 /user:mikedan /pass:Kleo

To add a user name and password for user Mikedan to access computer Server01 and prompt for the password whenever Server01 is accessed, type:

cmdkey /add:server01 /user:mikedan

To delete a credential stored by remote access, type:

cmdkey /delete /ras

To delete a credential stored for Server01, type:

cmdkey /delete:server01

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.