5376 Credential Manager credentials were backed up

Written when credentials stored in Credential Manager are backed up. It draws attention from the angle of exfiltrating stored credentials.

Overview

The subcategory is Audit User Account Management. It is generated when the contents of Credential Manager (the Windows vault feature that stores web/app/network passwords) are backed up (exported). It is paired with restore 5377.

How it is triggered

The “back up credentials” operation in Credential Manager. The backup is written to a password-protected file.

Security review points

A backup is an operation that exfiltrates stored credentials to a file. An attacker may use this feature to export credentials in bulk and restore them in another environment to abuse. Note unexpected backup operations (especially of administrators or target users).
Together with restore 5377 and DPAPI events 4692/4693, track exfiltration and transport of credential material.

Notes for log review

It also occurs with legitimate user actions, but infrequently. Check the acting subject and timing, and investigate unexpected backups.
Correlate with suspicious file operations or exfiltration right after a backup (shares 5145, etc.).

Key fields

Field	Meaning
`Subject\Account Name`	The account that performed the backup

References

Microsoft Learn: 5376(S) Credential Manager credentials were backed up.