{
  "id": "5377",
  "source": "windows_security",
  "category": "CredentialMgr",
  "name": "Credential Manager credentials were restored from backup",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 5377 records successful restore of the user Credential Manager database from backup.",
  "trigger_scenarios": "This event is generated when the Subject successfully restores the Credential Manager database, typically through the Credential Manager control-panel workflow.",
  "key_fields": [
    {
      "field": "SubjectUserName / SubjectDomainName",
      "explanation": "Identifies the account that performed the restore operation. Microsoft documents that this is the Subject account."
    },
    {
      "field": "SubjectLogonId",
      "explanation": "Hexadecimal logon ID that correlates the restore to the user logon session and nearby process creation."
    },
    {
      "field": "Computer",
      "explanation": "Identifies whether the restore occurred on a domain controller, member server, or workstation; Microsoft documents that the event can occur on all three."
    }
  ],
  "false_positives": [
    "Legitimate restore through Credential Manager can occur during user migration or device replacement.",
    "Administrative support activity may restore user credentials with the user present, but it should have a ticket."
  ],
  "related_event_ids": [
    "5376",
    "4624",
    "4688"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1555.004",
      "technique_name": "Credentials from Password Stores: Windows Credential Manager"
    }
  ],
  "detection_notes": "Use threshold=1 occurrence because Microsoft states every 5377 should be recorded and that restoring Credential Manager credentials is very rarely used and can indicate malicious activity. MITRE T1555.004 notes that Credential Manager backup and restoration can be reached through rundll32.exe keymgr.dll KRShowKeyMgr; a restore followed by 4624 access to network resources can indicate imported credentials. Correlate SubjectLogonId to 4688 and validate the user migration ticket.",
  "kql_snippet": "SecurityEvent\n| where EventID == 5377\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=5377 | table _time, host",
  "sample_log": "EventID: 5377\nSubjectUserName: j.smith\nSubjectDomainName: CORP\nSubjectLogonId: 0x30d7c\nComputer: WS-042",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5377",
  "route": "/windows-events/5377/",
  "canonical_url": "https://soceventlookup.com/windows-events/5377/",
  "json_url": "/api/events/windows-security/5377.json"
}
