Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName == "cmdkey.exe" | where ProcessCommandLine has "/list" | project Timestamp, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where FileName in ('cmd.exe', 'powershell.exe') | where ProcessCommandLine has 'cmdkey' | project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "cmdkey.exe" and ProcessCommandLine has "list" | summarize ProcessCommandLineSet = makeset(ProcessCommandLine) by DeviceId, DeviceName | extend HostName = tostring(split(DeviceName, '.') [0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.')) | project-away DeviceName, DeviceId | extend HostName = tolower(HostName) | extend DnsDomain = tolower(DnsDomain)

DeviceProcessEvents | where InitiatingProcessCommandLine contains "cmdkey" and InitiatingProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains 'cmd.exe' or ProcessCommandLine contains 'powershell.exe' or ProcessCommandLine contains 'rundll32.exe' | where ProcessCommandLine contains 'CredentialManager' or ProcessCommandLine contains '/list' or ProcessCommandLine contains 'credman' or ProcessCommandLine contains 'cmdkey' | project Timestamp, DeviceName, ProcessCommandLine | order by Timestamp desc | take 10

DeviceProcessEvents | where ProcessCommandLine contains "cmdkey.exe" and ProcessCommandLine has "list" | project DeviceId, DeviceName, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("cmdkey.exe", "vaultcmd.exe") | where isnotempty(ProcessCommandLine) and ( ProcessCommandLine contains "/list" or // cmdkey /list (or -list) ProcessCommandLine contains " /l" or // cmdkey /l (short form) ProcessCommandLine contains "-list" or // alternate switch form ProcessCommandLine contains "/listcreds" // vaultcmd listing creds ) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ExactCommand = ProcessCommandLine | order by TimeGenerated desc

union withsource=SourceTable DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceLogonEvents | extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine)) | where isnotempty(CommandLine) // Normalize whitespace for matching | where CommandLine matches regex @"(?i)\bcmdkey(?:\.exe)?\b.*\b(?:/|-)list\b|\bcmdkey(?:\.exe)?\b.*\blist\b" | project TimeGenerated, SourceTable, DeviceName, AccountName, InitiatingProcessAccountName, FileName = coalesce(FileName, InitiatingProcessFileName), ProcessId, InitiatingProcessId, CommandLine | summarize Count = count(), LatestTime = max(TimeGenerated), Devices = make_set(DeviceName, 100), Users = make_set(AccountName, 100), SourceTables = make_set(SourceTable) by CommandLine | order by LatestTime desc | project ExactCommand = CommandLine, Count, LatestTime, Devices, Users, SourceTables

// Search for invocations of Credential Manager utilities that list stored credentials // Common ways: cmdkey.exe /list, rundll32.exe keymgr.dll, or rundll32.exe with arguments to show saved credentials let cmdnames = dynamic(["cmdkey.exe","rundll32.exe","keymgr.dll","control.exe","credwiz.exe"]); DeviceProcessEvents | where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe") // also include rundll32 with keymgr.dll in command line | where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials") | extend Cmd = strcat(FileName, " ", ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd | union ( DeviceEvents | where FileName in ("cmdkey.exe","rundll32.exe","control.exe","credwiz.exe") | where ProcessCommandLine has_any ("/list", "cmdkey /list", "keymgr.dll", "credwiz", "Credentials") | extend Cmd = strcat(FileName, " ", ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, Cmd ) | order by TimeGenerated desc | distinct Cmd, DeviceName, DeviceId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine | top 50 by TimeGenerated

// Identify usage of Windows Credential Manager listing commands (cmdkey /list or KRShowKeyMgr via rundll32) let cmd_names = dynamic(["cmdkey.exe","cmdkey","rundll32.exe","rundll32"]); // Search process events where the commanded process is cmdkey or rundll32 calling keymgr.dll union isfuzzy=true (DeviceProcessEvents | where tostring(ProcessCommandLine) has_any ("cmdkey","/list","/list:") or (FileName has_cs "cmdkey" and ProcessCommandLine!="") | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine ), (DeviceEvents | where isnotempty(ProcessCommandLine) and (tolower(ProcessCommandLine) has "cmdkey" or tolower(ProcessCommandLine) has "krshowkeymgr" or (tolower(ProcessCommandLine) has "rundll32" and tolower(ProcessCommandLine) has "keymgr")) | extend CmdLine = tostring(ProcessCommandLine), EventSource = "DeviceEvents", ProcFile = FileName, ProcInitiatingCmd = InitiatingProcessCommandLine ) | where CmdLine has_any ("cmdkey","/list","krshowkeymgr","keymgr") | where CmdLine !has "cmdkey /delete" // exclude deletes to focus on listing | extend CmdLineClean = trim(' ', CmdLine) | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName=ProcFile, CmdLineClean, InitiatingProcessCommandLine=ProcInitiatingCmd, ProcessId | summarize count(), AnyTime = min(TimeGenerated) by CmdLineClean, DeviceName, DeviceId, FileName | order by AnyTime desc | take 100

let credMgrInvocations = ( DeviceProcessEvents | where (isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine)) | extend CmdLine = tostring(coalesce(InitiatingProcessCommandLine, ProcessCommandLine, "")) | extend CmdLower = tolower(CmdLine) | where (CmdLower contains "rundll32.exe" and CmdLower contains "keymgr.dll" and CmdLower contains "krshowkeymgr") or (CmdLower contains "cmdkey.exe" and CmdLower contains "/list") | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, CmdLine ); credMgrInvocations | sort by TimeGenerated desc | take 100

let WindowsDevices = DeviceInfo | where OSPlatform contains "Windows" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (WindowsDevices) | where (InitiatingProcessFileName contains "cmdkey" or ProcessCommandLine contains "cmdkey" or InitiatingProcessCommandLine contains "cmdkey") | where (InitiatingProcessCommandLine contains "/list" or ProcessCommandLine contains "/list" or InitiatingProcessCommandLine contains "-list" or ProcessCommandLine contains "-list") | extend FullCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project TimeGenerated, DeviceName, DeviceId, FullCommand, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessAccountName, InitiatingProcessAccountDomain

DeviceProcessEvents | where FileName == 'cmdkey.exe' and ProcessCommandLine contains '/list' | project DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where FileName == 'cmdkey.exe' | where ProcessCommandLine contains '/list' | project TimeGenerated, DeviceName, ProcessCommandLine, AccountName

DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine has "/list" | project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmdkey.exe" or FileName =~ "vaultcmd.exe" | where ProcessCommandLine contains "list" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmdkey.exe" // built-in credential manager CLI | where ProcessCommandLine has_any("/list", "/l") // listing stored credentials | project TimeGenerated, DeviceName, AccountSid, AccountName, ProcessCommandLine | summarize Executions=count() by ProcessCommandLine | order by Executions desc

union (DeviceProcessEvents | where FileName == "cmdkey.exe" and ProcessCommandLine has "/list" | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine), (DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has "keymgr.dll,KRShowKeyMgr" | project TimeGenerated, DeviceName, FullCommand = ProcessCommandLine) | sort by TimeGenerated desc

DeviceProcessEvents | where tolower(FileName) == "cmdkey.exe" | where ProcessCommandLine contains "/list" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has_cs "cmdkey" and ProcessCommandLine has_cs "/list" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | distinct TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmdkey.exe" | where ProcessCommandLine has "/list" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc