The cmdkey
Tool in Windows Credential Management
Windows ships with several built-in administrative utilities that simplify daily operations for IT teams. One such tool is cmdkey.exe
. While originally intended for legitimate credential management, in the wrong hands it becomes a powerful credential abuse and persistence mechanism.
This article explores how adversaries may leverage cmdkey
in post-exploitation scenarios, red team operations, and why defenders must monitor its usage closely.
What is cmdkey
?
The cmdkey.exe
utility manages stored user names and passwords. It allows users to:
- Create, list, and delete stored credentials.
- Simplify authentication to remote resources.
- Automate connections without prompting for passwords.
Syntax
cmdkey /list
cmdkey /add:<targetname> /user:<username> /pass:<password>
cmdkey /delete:<targetname>
How Hackers Abuse cmdkey
When attackers gain access to a system, one of their goals is credential harvesting and privilege escalation. Since cmdkey
interacts directly with the Windows Credential Manager, it can be used to enumerate saved credentials and inject their own for persistence.
1. Enumerating Stored Credentials
Attackers can quickly check for cached credentials that might be reused across systems:
cmdkey /list
Typical output:
Currently stored credentials:
Target: Domain:target=TERMSRV/192.168.1.20
Type: Domain Password
User: CORP\administrator
This reveals RDP or network drive credentials that may allow lateral movement.
2. Adding Malicious Credentials
An attacker with administrative access can inject their own credentials for persistence:
cmdkey /add:TERMSRV/192.168.1.50 /user:corp\eviluser /pass:P@ssw0rd!
This ensures that when connecting via RDP or SMB, the attacker doesn't need to enter credentials manually.
3. Using runas
with Stored Credentials
Normally, the Windows runas
command allows a user to start a process as another user, but it prompts for a password.
When paired with cmdkey
, attackers can bypass the password prompt if credentials are already cached.
Example
-
Store credentials with
cmdkey
:cmdkey /add:CORP /user:corp\backupadmin /pass:B@ckup123!
-
Launch a process with those credentials:
runas /savecred /user:corp\backupadmin "cmd.exe /c whoami"
The
/savecred
option tells Windows to reuse stored credentials. Output:corp\backupadmin
This technique allows an adversary to run administrative tools or scripts under a different account without re-entering passwords.
4. Deleting Logs of Their Activity
To cover their tracks, attackers may remove credentials they created:
cmdkey /delete:TERMSRV/192.168.1.50
5. Combining with Other Tools
-
With
mstsc
(Remote Desktop):After adding credentials with
cmdkey
, an attacker can silently RDP into another host:mstsc /v:192.168.1.50
-
With Scheduled Tasks:
Adversaries may schedule recurring tasks that leverage saved credentials for persistence or data exfiltration.
Detection and Defense
Indicators of Malicious Use
- Unusual execution of
cmdkey.exe
orrunas.exe
. - Creation of new stored credentials outside normal IT workflows.
- Frequent credential enumeration followed by RDP or remote tool connections.
Defensive Measures
-
Enable PowerShell & Command Line logging (
Event ID 4688
). -
Monitor
cmdkey
andrunas
usage via Sysmon Event ID 1 (process creation). -
Alert on
runas /savecred
usage, which is rarely legitimate in enterprise environments. -
Regularly clear old cached credentials with:
cmdkey /delete /?
Conclusion
cmdkey.exe
and runas.exe
are dual-use tools: invaluable for administrators, but equally attractive to hackers. Their ability to silently list, add, and leverage credentials makes them critical points of concern in Windows environments.
- Red Teams use
cmdkey
andrunas
to simulate adversarial credential abuse in controlled engagements. - Blue Teams must treat their execution as suspicious in non-administrative contexts.
By understanding their abuse potential, defenders can detect malicious patterns, while red teams can highlight weaknesses in credential management policies.
***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.