The cmdkey Tool in Windows Credential Management

Windows ships with several built-in administrative utilities that simplify daily operations for IT teams. One such tool is cmdkey.exe. While originally intended for legitimate credential management, in the wrong hands it becomes a powerful credential abuse and persistence mechanism.

This article explores how adversaries may leverage cmdkey in post-exploitation scenarios, red team operations, and why defenders must monitor its usage closely.

What is cmdkey?

The cmdkey.exe utility manages stored user names and passwords. It allows users to:

  • Create, list, and delete stored credentials.
  • Simplify authentication to remote resources.
  • Automate connections without prompting for passwords.

Syntax

cmdkey /list
cmdkey /add:<targetname> /user:<username> /pass:<password>
cmdkey /delete:<targetname>

How Hackers Abuse cmdkey

When attackers gain access to a system, one of their goals is credential harvesting and privilege escalation. Since cmdkey interacts directly with the Windows Credential Manager, it can be used to enumerate saved credentials and inject their own for persistence.

1. Enumerating Stored Credentials

Attackers can quickly check for cached credentials that might be reused across systems:

cmdkey /list

Typical output:

Currently stored credentials:

    Target: Domain:target=TERMSRV/192.168.1.20
    Type:   Domain Password
    User:   CORP\administrator

This reveals RDP or network drive credentials that may allow lateral movement.

2. Adding Malicious Credentials

An attacker with administrative access can inject their own credentials for persistence:

cmdkey /add:TERMSRV/192.168.1.50 /user:corp\eviluser /pass:P@ssw0rd!

This ensures that when connecting via RDP or SMB, the attacker doesn't need to enter credentials manually.

3. Using runas with Stored Credentials

Normally, the Windows runas command allows a user to start a process as another user, but it prompts for a password. When paired with cmdkey, attackers can bypass the password prompt if credentials are already cached.

Example

  1. Store credentials with cmdkey:

    cmdkey /add:CORP /user:corp\backupadmin /pass:B@ckup123!

  2. Launch a process with those credentials:

    runas /savecred /user:corp\backupadmin "cmd.exe /c whoami"

    The /savecred option tells Windows to reuse stored credentials. Output:

    corp\backupadmin

This technique allows an adversary to run administrative tools or scripts under a different account without re-entering passwords.

4. Deleting Logs of Their Activity

To cover their tracks, attackers may remove credentials they created:

cmdkey /delete:TERMSRV/192.168.1.50

5. Combining with Other Tools

  • With mstsc (Remote Desktop):

    After adding credentials with cmdkey, an attacker can silently RDP into another host:

    mstsc /v:192.168.1.50

  • With Scheduled Tasks:

    Adversaries may schedule recurring tasks that leverage saved credentials for persistence or data exfiltration.

Detection and Defense

Indicators of Malicious Use

  • Unusual execution of cmdkey.exe or runas.exe.
  • Creation of new stored credentials outside normal IT workflows.
  • Frequent credential enumeration followed by RDP or remote tool connections.

Defensive Measures

  • Enable PowerShell & Command Line logging (Event ID 4688).

  • Monitor cmdkey and runas usage via Sysmon Event ID 1 (process creation).

  • Alert on runas /savecred usage, which is rarely legitimate in enterprise environments.

  • Regularly clear old cached credentials with:

    cmdkey /delete /?

Conclusion

cmdkey.exe and runas.exe are dual-use tools: invaluable for administrators, but equally attractive to hackers. Their ability to silently list, add, and leverage credentials makes them critical points of concern in Windows environments.

  • Red Teams use cmdkey and runas to simulate adversarial credential abuse in controlled engagements.
  • Blue Teams must treat their execution as suspicious in non-administrative contexts.

By understanding their abuse potential, defenders can detect malicious patterns, while red teams can highlight weaknesses in credential management policies.

Love it? Share this article: