How did my domain password get into Windows Credential Storage? - eviltoast

Hello!

I’ve recently stumbled upon an amazing blog about getting credentials from Bitwarden vault through DPAPI and Windows Credential Storage, and what suprised me is that any low-privileged process can just ask for all information in Credential Storage, without requiring any user input (the article discusses it in the second half, even though the first half is about abusing DA credentials), through the CredEnumerateW WinApi call.

Since that vector was pretty interresting, I tried running their PoC for listing the cred storage on my, and several colleague machines, and was surprised that every machine had domain account credentials listed in plaintext, that could be grabbed by any low-privileged process just by calling this WinAPI.

I suspected that it’s because of Outlook or Teams, because I found articles from few years ago mentioning that they do get saved there. However, one colleague did not have his credentials there, even though he was using Teams and Outlook, and had his password saved.

So, how did that password get there? Why most people we tried the PoC with do have a domain password saved, but some do not? Or is it because of Windows Hello? I’d love to get some kind of solution/recommendation about how to avoid having your password, in plaintext, in such an insecure space. Or was I dumb enough to save it into Edge somwhere, and have promptly forgotten about it?

And more importantly - how this isn’t a pretty severe vulnerability, and is considered “as designed” by Microsoft? The fact that any process can just ask for your credentials is mind-blowing, plus it isn’t even detected by EDRs we’ve tried it with when discussing it with our SoC.