Windows Event ID 5376 – Microsoft-Windows-Security-Auditing: Credential Manager Credentials Were Backed Up

Start by examining the specific details of the credential backup event to understand what was backed up and by whom.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 5376 by right-clicking the Security log and selecting Filter Current Log
4. Enter 5376 in the Event IDs field and click OK
5. Double-click the event to view details including:
   • Subject account name and domain
   • Backup file path and location
   • Number of credentials backed up
   • Process name that initiated the backup

Use PowerShell for more detailed analysis:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5376} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Investigate the context around the credential backup by examining related events and process activity.

1. Check for related logon events around the same time:

$BackupTime = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5376} -MaxEvents 1).TimeCreated
$StartTime = $BackupTime.AddMinutes(-30)
$EndTime = $BackupTime.AddMinutes(30)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4648; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Id, Message

2. Examine process creation events to identify the application that initiated the backup:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Message -like "*credential*" -or $_.Message -like "*backup*"}

3. Check if the backup file still exists at the specified location
4. Verify the user account had legitimate reasons to perform credential backup
5. Review any scheduled tasks or scripts that might have triggered the backup

Examine the current state of Credential Manager and investigate any backup files created during the event.

1. List current credentials in Credential Manager using PowerShell:

# Requires elevated privileges
Get-StoredCredential | Format-Table UserName, Target, Type, LastWriteTime

2. Check the backup file location mentioned in the event (if accessible):

$BackupPath = "C:\Path\From\Event\Details"
if (Test-Path $BackupPath) {
    Get-ChildItem $BackupPath -Recurse | Format-Table Name, Length, CreationTime, LastWriteTime
} else {
    Write-Host "Backup file not found at specified location" -ForegroundColor Yellow
}

3. Review Credential Manager through Control Panel:
   • Open Control Panel → User Accounts → Credential Manager
   • Check both Web Credentials and Windows Credentials sections
   • Note any recently modified or suspicious entries
4. Examine registry entries for credential manager activity:

Get-ItemProperty -Path "HKCU\Software\Microsoft\Protected Storage System Provider" -ErrorAction SilentlyContinue

Set up proactive monitoring to detect future credential backup events and establish baseline behavior patterns.

1. Create a PowerShell script for continuous monitoring:

# Save as Monitor-CredentialBackup.ps1
$LogName = 'Security'
$EventID = 5376
$LastCheck = (Get-Date).AddHours(-1)

while ($true) {
    $Events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventID; StartTime=$LastCheck} -ErrorAction SilentlyContinue
    
    if ($Events) {
        foreach ($Event in $Events) {
            $Message = "ALERT: Credential backup detected at $($Event.TimeCreated) by $($Event.Properties[1].Value)"
            Write-Host $Message -ForegroundColor Red
            # Add email notification or SIEM integration here
        }
    }
    
    $LastCheck = Get-Date
    Start-Sleep -Seconds 300  # Check every 5 minutes
}

2. Configure Windows Event Forwarding for centralized logging:

# On collector server
wecutil qc /q

# Create subscription for Event ID 5376
$SubscriptionXML = @"

    CredentialBackupMonitoring
    *[System[(EventID=5376)]]]]>

"@

$SubscriptionXML | Out-File -FilePath "C:\temp\credential-backup-subscription.xml"
wecutil cs "C:\temp\credential-backup-subscription.xml"

3. Set up Task Scheduler for automated response:
4. Create custom Event Viewer views filtered for Event ID 5376
5. Document baseline patterns of legitimate credential backup operations

Perform deep forensic analysis to determine if the credential backup represents a security incident requiring incident response procedures.

1. Collect comprehensive event data for analysis:

# Export all related security events for forensic analysis
$ExportPath = "C:\Forensics\CredentialBackup-$(Get-Date -Format 'yyyyMMdd-HHmmss').evtx"
$StartDate = (Get-Date).AddDays(-7)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5376,4624,4625,4648,4688; StartTime=$StartDate} | Export-Clixml -Path "$ExportPath.xml"

# Create timeline of events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5376; StartTime=$StartDate} | 
    Select-Object TimeCreated, Id, LevelDisplayName, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='BackupPath';Expression={$_.Properties[5].Value}} | 
    Sort-Object TimeCreated | Format-Table -AutoSize

2. Analyze network connections during the backup timeframe:

# Check for suspicious network activity
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'} | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | 
    ForEach-Object {
        $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        $_ | Add-Member -NotePropertyName ProcessName -NotePropertyValue $Process.ProcessName
        $_
    } | Format-Table

3. Check for indicators of compromise:
4. Review file system activity around backup locations using Get-ChildItem with -Force parameter
5. Examine memory dumps if available for credential harvesting tools
6. Correlate with threat intelligence feeds for known credential theft techniques
7. Document findings and create incident response timeline if malicious activity is confirmed