The cmdkey Tool in Windows Credential Management
Windows ships with several built-in administrative utilities that simplify daily operations for IT teams. One such tool is cmdkey.exe. While originally intended for legitimate credential management, in the wrong hands it becomes a powerful credential abuse and persistence mechanism.
This article explores how adversaries may leverage cmdkey in post-exploitation scenarios, red team operations, and why defenders must monitor its usage closely.
What is cmdkey?
The cmdkey.exe utility manages stored user names and passwords. It allows users to:
- Create, list, and delete stored credentials.
- Simplify authentication to remote resources.
- Automate connections without prompting for passwords.
Syntax
cmdkey /list
cmdkey /add:<targetname> /user:<username> /pass:<password>
cmdkey /delete:<targetname>How Hackers Abuse cmdkey
When attackers gain access to a system, one of their goals is credential harvesting and privilege escalation. Since cmdkey interacts directly with the Windows Credential Manager, it can be used to enumerate saved credentials and inject their own for persistence.
1. Enumerating Stored Credentials
Attackers can quickly check for cached credentials that might be reused across systems:
cmdkey /listTypical output:
Currently stored credentials:
Target: Domain:target=TERMSRV/192.168.1.20
Type: Domain Password
User: CORP\administrator
This reveals RDP or network drive credentials that may allow lateral movement.
2. Adding Malicious Credentials
An attacker with administrative access can inject their own credentials for persistence:
cmdkey /add:TERMSRV/192.168.1.50 /user:corp\eviluser /pass:P@ssw0rd!This ensures that when connecting via RDP or SMB, the attacker doesn't need to enter credentials manually.
3. Using runas with Stored Credentials
Normally, the Windows runas command allows a user to start a process as another user, but it prompts for a password.
When paired with cmdkey, attackers can bypass the password prompt if credentials are already cached.
Example
-
Store credentials with
cmdkey:cmdkey /add:CORP /user:corp\backupadmin /pass:B@ckup123! -
Launch a process with those credentials:
runas /savecred /user:corp\backupadmin "cmd.exe /c whoami"The
/savecredoption tells Windows to reuse stored credentials. Output:corp\backupadmin
This technique allows an adversary to run administrative tools or scripts under a different account without re-entering passwords.
4. Deleting Logs of Their Activity
To cover their tracks, attackers may remove credentials they created:
cmdkey /delete:TERMSRV/192.168.1.505. Combining with Other Tools
-
With
mstsc(Remote Desktop):After adding credentials with
cmdkey, an attacker can silently RDP into another host:mstsc /v:192.168.1.50 -
With Scheduled Tasks:
Adversaries may schedule recurring tasks that leverage saved credentials for persistence or data exfiltration.
Detection and Defense
Indicators of Malicious Use
- Unusual execution of
cmdkey.exeorrunas.exe. - Creation of new stored credentials outside normal IT workflows.
- Frequent credential enumeration followed by RDP or remote tool connections.
Defensive Measures
-
Enable PowerShell & Command Line logging (
Event ID 4688). -
Monitor
cmdkeyandrunasusage via Sysmon Event ID 1 (process creation). -
Alert on
runas /savecredusage, which is rarely legitimate in enterprise environments. -
Regularly clear old cached credentials with:
cmdkey /delete /?
Conclusion
cmdkey.exe and runas.exe are dual-use tools: invaluable for administrators, but equally attractive to hackers. Their ability to silently list, add, and leverage credentials makes them critical points of concern in Windows environments.
- Red Teams use
cmdkeyandrunasto simulate adversarial credential abuse in controlled engagements. - Blue Teams must treat their execution as suspicious in non-administrative contexts.
By understanding their abuse potential, defenders can detect malicious patterns, while red teams can highlight weaknesses in credential management policies.
***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.
