Windows Credential Manager: A Complete Guide

Windows Credential Manager is a secure storage system for credentials such as usernames, passwords, and certificates. It allows applications and scripts to retrieve login information without hardcoding sensitive details, thereby enhancing both security and usability.

What is Windows Credential Manager?

Credential Manager stores credentials in an encrypted vault on Windows systems. Applications, browsers, and scripts can use these stored credentials to authenticate without repeatedly prompting the user.

Credentials are stored in two major categories:

Windows Credentials - Used by Windows services and applications (e.g., domain authentication, mapped drives).
Generic Credentials - Used by custom applications, web services, and scripts.

Where to Find Credential Manager ?

Open Control Panel → User Accounts → Credential Manager
Alternatively, run the following command:

   rundll32.exe keymgr.dll,KRShowKeyMgr

Credential Storage Locations

Windows Vaults: Credentials are stored in the Windows Vault, located in:
```
%Systemdrive%\Users\<username>\AppData\Local\Microsoft\Credentials
```
The credentials are encrypted using the Data Protection API (DPAPI), ensuring they are tied to the user profile.

Managing Credentials with PowerShell

Windows provides a module called CredentialManager that simplifies handling stored credentials.

Install the CredentialManager Module

Install-Module -Name CredentialManager -Scope CurrentUser

Add a New Credential

New-StoredCredential -Target "MyApp" -UserName "testuser" -Password "SuperSecret123" -Persist LocalMachine

Retrieve a Credential

$cred = Get-StoredCredential -Target "MyApp"
$cred.UserName
$cred.Password

Remove a Credential

Remove-StoredCredential -Target "MyApp"

Using Credential Manager in .NET

Applications written in .NET can access Credential Manager via the System.Security.Cryptography and third-party libraries.

Example using CredentialManagement NuGet package:

using CredentialManagement;
 
class Program
{
    static void Main()
    {
        var cred = new Credential { Target = "MyApp" };
        cred.Load();
        Console.WriteLine($"User: {cred.Username}");
        Console.WriteLine($"Password: {cred.Password}");
    }
}

Security Best Practices

Do not hardcode credentials in scripts or source code.
Use Generic Credentials for custom apps instead of plain-text config files.
Ensure user profiles are protected, as credentials are tied to the Windows user.
Combine Credential Manager with Windows Hello or Multi-Factor Authentication where possible.

Red Team Best Practices (Offensive)

When simulating an attacker's perspective, Red Teams often evaluate how credentials stored in Windows Credential Manager can be abused.

Credential Harvesting: Check if insecure apps store credentials in the vault without strong protections.
DPAPI Abuse Simulation: Demonstrate how attackers could attempt to extract DPAPI keys (requires local access and user context).
Misconfigured Storage Testing: Identify applications that store passwords in Credential Manager when they should use secure token-based authentication.
Least Privilege Testing: Highlight when unnecessary services or accounts have credentials stored locally.
Persistence Simulation: Assess how attackers could use saved credentials for lateral movement.

! These activities must only be done in authorized penetration tests or security assessments.

Blue Team Best Practices (Defensive)

Defenders should harden, monitor, and restrict Credential Manager usage to minimize risks.

Audit Access: Enable logging for DPAPI and Credential Manager API usage.
Harden Permissions: Restrict local admin rights to prevent attackers from dumping DPAPI-protected secrets.
Application Reviews: Ensure enterprise apps use token-based authentication (OAuth, Kerberos) instead of storing long-lived credentials.
Regular Vault Cleanup: Encourage users to remove old or unused credentials.
MFA Enforcement: Pair Credential Manager with Windows Hello, Smart Cards, or other MFA solutions.
Threat Hunting: Look for suspicious processes (e.g., PowerShell, C#, or custom tools) accessing Credential Manager unexpectedly.
Incident Response: If compromised, reset all potentially exposed credentials and invalidate stored secrets.

Red Team vs Blue Team Quick Reference

Aspect	Red Team (Offensive)	Blue Team (Defensive)
Credential Discovery	Enumerate stored credentials with PowerShell/.NET APIs	Monitor API calls and log unusual credential access
DPAPI Usage	Attempt to extract DPAPI-protected secrets (with context)	Enforce strong user profile protection & DPAPI key safety
Persistence	Use saved credentials for lateral movement	Audit vaults & remove stale/unused credentials
Misconfiguration Testing	Find apps storing plaintext or weakly protected secrets	Enforce app reviews to ensure token-based authentication
Privilege Abuse	Test if local admins can dump stored credentials	Restrict admin rights & enable Just Enough Administration
Detection Evasion	Blend credential access into normal user activity	Enable threat hunting for abnormal process access patterns
Response	Simulate credential theft scenarios	Reset exposed creds, revoke tokens, and enforce MFA

Conclusion

Windows Credential Manager is a powerful tool for securely storing and retrieving credentials. It provides convenience but also introduces potential risks if misused.

For Red Teams, it's a common target to simulate real-world credential theft scenarios.
For Blue Teams, monitoring, restricting access, and enforcing proper credential hygiene are key to defending against abuse.

By understanding both offensive and defensive perspectives, organizations can better secure their environment while still leveraging the usability benefits of Credential Manager.