Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0378: Analytic 0378

Detects unauthorized access to Windows Credential Manager through anomalous process execution (vaultcmd.exe, rundll32.exe keymgr.dll), suspicious API calls (CredEnumerateA), or direct file access to Credential Locker files. Correlates process creation with subsequent file reads of .vcrd/.vpol files under user Credential Locker directories.

EnterpriseAN0378AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Windows Credential Manager can hold credentials that affect user access, lateral movement risk, and incident scope. The supplied ATT&CK object focuses on detecting unusual access to Credential Manager through suspicious process execution, API usage, or reads of Credential Locker files. For leaders, the value is in validating whether endpoint telemetry can show who accessed stored credentials, from what process, and whether that access was expected.

Executive priority

Prioritize this as an identity and incident-response readiness check for Windows environments. If defenders cannot monitor Credential Manager access patterns, investigations may miss early credential exposure indicators and struggle to prove whether stored credentials were accessed. This supports control prioritization around endpoint logging, credential protection, SOC detection engineering, and audit evidence for privileged-access monitoring.

Technical view

For SOC and detection teams, validate visibility on Windows process creation involving vaultcmd.exe and rundll32.exe with keymgr.dll, suspicious use of Credential Manager-related APIs such as CredEnumerateA where observable, and file reads of .vcrd and .vpol files under user Credential Locker directories. The object describes correlation between process creation and subsequent Credential Locker file access, so detection should not rely on a single event type when richer endpoint telemetry is available. No ATT&CK tactic or relationship context was supplied, so local triage should map alerts to the observed user, host role, parent process, command line, file path, and expected administrative or user activity.

Likely telemetry

  • Windows endpoint process creation events, including image name, command line, parent process, user, and host
  • File access telemetry for reads of .vcrd and .vpol files in user Credential Locker directories
  • Endpoint telemetry capable of surfacing DLL usage involving rundll32.exe and keymgr.dll
  • API-level or EDR telemetry for Credential Manager calls such as CredEnumerateA, if available
  • User and host context to distinguish expected credential management activity from anomalous access

Detection direction

  • Confirm that telemetry exists for both process creation and file reads; the described analytic depends on correlating these evidence types.
  • Tune for unusual vaultcmd.exe or rundll32.exe keymgr.dll execution by uncommon users, unexpected parent processes, unusual hosts, or proximity to Credential Locker file reads.
  • Where API telemetry is available, review CredEnumerateA observations in context rather than treating all usage as malicious.
  • Account for legitimate Windows or user credential-management activity to reduce false positives; baseline normal administrative and helpdesk workflows before broad alerting.
  • Validate blind spots on endpoints without EDR file-read visibility or API telemetry, because process-only detection may miss direct file access patterns.

Mitigation priorities

  • First, ensure Windows endpoint logging or EDR coverage captures process creation and relevant Credential Locker file access events.
  • Next, restrict and monitor privileged access paths that could expose stored credentials, especially on administrative workstations and high-value user systems.
  • Harden credential handling practices so sensitive accounts are not unnecessarily stored in Windows Credential Manager.
  • Use incident-response playbooks that preserve host, user, process, and file-access evidence when Credential Manager access is suspected.
  • Periodically test the analytic logic against authorized credential-management activity to confirm detection quality and auditability.
Analyst notes and limits

The supplied object is a detection analytic for Windows and provides a concise description but no separate official detection text, tactics, labels, or relationship context. Glexia’s interpretation therefore centers on validation of telemetry and control readiness rather than threat attribution or assumed exploitation.

No relationships, ATT&CK tactics, procedure examples, or official detection implementation details were supplied. Local environment evidence is required to determine normal Credential Manager usage, feasible telemetry sources, alert thresholds, and response severity.

Official MITRE ATT&CK definition

Analytic 0378

Detects unauthorized access to Windows Credential Manager through anomalous process execution (vaultcmd.exe, rundll32.exe keymgr.dll), suspicious API calls (CredEnumerateA), or direct file access to Credential Locker files. Correlates process creation with subsequent file reads of .vcrd/.vpol files under user Credential Locker directories.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c1c0ce69238f3d44...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c1c0ce69238f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0378
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use