{
  "id": "5376",
  "source": "windows_security",
  "category": "CredentialMgr",
  "name": "Credential Manager credentials were backed up",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 5376 records successful backup of the user Credential Manager database.",
  "trigger_scenarios": "This event is generated when the Subject successfully backs up the Credential Manager database, typically through the Credential Manager control-panel workflow.",
  "key_fields": [
    {
      "field": "SubjectUserName / SubjectDomainName",
      "explanation": "Identifies the account that performed the backup operation. Microsoft documents that this is the Subject account."
    },
    {
      "field": "SubjectLogonId",
      "explanation": "Hexadecimal logon ID that correlates the backup to the user logon session and nearby process creation."
    },
    {
      "field": "Computer",
      "explanation": "Identifies whether the backup occurred on a domain controller, member server, or workstation; Microsoft documents that the event can occur on all three."
    }
  ],
  "false_positives": [
    "Legitimate user-initiated credential backup through Credential Manager is possible but rare.",
    "Help-desk migration workflows can intentionally back up user credentials during device replacement."
  ],
  "related_event_ids": [
    "5377",
    "4624",
    "4688"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1555.004",
      "technique_name": "Credentials from Password Stores: Windows Credential Manager"
    }
  ],
  "detection_notes": "Use threshold=1 occurrence because Microsoft states every 5376 should be recorded and that Credential Manager backup is very rarely used and can indicate malicious activity. MITRE T1555.004 explicitly notes credential backups via rundll32.exe keymgr.dll KRShowKeyMgr and Windows Credential Manager vault material under %Systemdrive%\\Users\\[Username]\\AppData\\Local\\Microsoft\\[Vault/Credentials]\\. Correlate SubjectLogonId to 4688 for rundll32.exe, vaultcmd.exe, or unusual interactive activity before closing.",
  "kql_snippet": "SecurityEvent\n| where EventID == 5376\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=5376 | table _time, host",
  "sample_log": "EventID: 5376\nSubjectUserName: j.smith\nSubjectDomainName: CORP\nSubjectLogonId: 0x30d7c\nComputer: WS-042",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5376",
  "route": "/windows-events/5376/",
  "canonical_url": "https://soceventlookup.com/windows-events/5376/",
  "json_url": "/api/events/windows-security/5376.json"
}
