id: get-stored-credentials-cmdkey

info:
  name: Get Stored Credentials - cmdkey
  author: pussycat0x
  severity: high
  description: |
    The cmdkey /list command in Windows is used to list all the stored credentials on the system. These credentials can include saved usernames and passwords for network resources, websites, or remote computers.
  metadata:
    verified: true
  tags: code,windows,privesc,ps,enum

self-contained: true

code:
  - engine:
      - powershell
      - powershell.exe

    args:
      - -ExecutionPolicy
      - Bypass
      - -File

    pattern: "*.ps1"

    source: |
      cmdkey /list

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022015e9929e942aa2e02815129c94477f42eb4a6c7632693abe6024f5f3116a63e3022100af0ba71a9a190d9f08f9764fdb777ed2a907b6592070f52b80ecbfb541b01f50:922c64590222798bb761d5b6d8e72950