5377 Credential Manager credentials were restored from a backup
Written when Credential Manager credentials are restored from a backup. Paired with backup 5376, it captures the transport of stored credentials.
Overview
The subcategory is Audit User Account Management. It is generated when the contents of Credential Manager are restored (imported) from a protected backup file.
How it is triggered
- An import via the “restore credentials” operation in Credential Manager.
Security review points
- An attacker may restore a credential backup obtained elsewhere into an environment/account they control to abuse it. Note unexpected restores (a restore on a different machine/account than the backup).
- Using the correspondence with backup 5376, track where credentials were transported from and to. Correlate with authentication using those credentials right after the restore (4624, etc.).
Notes for log review
- It also occurs with legitimate migration/recovery, but infrequently. Check the acting subject and timing, and whether a corresponding backup exists.
- Investigate cases where the backup source and restore destination are different accounts/machines at high priority.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that performed the restore |