Event ID 5379 — Credential Manager credentials were read.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Credential Manager credentials were read.

Message #

Credential Manager credentials were read.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Read Operation: %8

This event occurs when a user performs a read operation on stored credentials in Credential Manager.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`TargetName` UnicodeString	—
`Type` UInt32	—
`CountOfCredentialsReturned` UInt32	—
`ReadOperation` UnicodeString	[Subject] Read Operation Known values `%%8099` Read Credential `%%8100` Enumerate Credentials `%%8101` Read Domain Credentials `%%8102` Find Best Credential `%%8103` Read By Token Handle
`ReturnCode` UInt32	—
`ProcessCreationTime` FILETIME	—
`ClientProcessId` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5379,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:40.049147+00:00",
    "event_record_id": 2888,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "TargetName": "WindowsLive:target=virtualapp/didlogical",
    "Type": 0,
    "CountOfCredentialsReturned": 0,
    "ReadOperation": "%%8100",
    "ReturnCode": 3221226021,
    "ProcessCreationTime": "2023-11-06T06:25:38.635483Z",
    "ClientProcessId": 1612
  },
  "message": ""
}

Community Notes #

Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Password Protected ZIP File Opened source medium: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames) source high: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment) source high: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx