Taking a Deeper Look at Windows Credential Roaming

March 8, 2023

Taking a deeper look at Windows Credential Roaming, it’s possible to get some more detail on why it works the way it does, and how to protect against abuse. In this article, we’ll go over a few of the most common reasons a roaming token is use by a threat actor. We’ll also go over how to configure profile management to sync saved passwords in Internet Explorer, and we’ll look at a few tools that can help you identify the roaming token.


Mimikatz is a powerful credential stealing application that helps attackers to get more privileged access on a victim’s network. It is also use to perform other malicious activities.

Mimikatz can run manually, or remotely with the Microsoft PowerShell module. It is compatible with the latest Windows release and is designed to extract passwords and other credentials from memory. It can run on both 32-bit and 64-bit x86 architectures. It is compatible with the Windows CryptoAPI module, which allows it to extract private keys and certificates.

To execute Mimikatz, you need SYSTEM privileges. You must also turn off debug privileges.


Credential Roaming is a Windows feature that helps to secure your PKI certificates and private keys. It helps reduce certificate management overhead by keeping your credentials up to date and in sync between workstations.

Credential Roaming allows users to access and manage PKI certificates and private keys from multiple workstations, even when they are inside a domain. This feature is not compatible with certificates that have their private key stored in hardware.

If your organization is using Windows Credential Roaming, you should consider decommissioning it. This will allow your certificate sets to move to a smart card. Smart cards have better security than Credential Roaming.


LSASS (local security authority subsystem service) is a Windows service that stores user credentials. This can used to move laterally or escalate privileges.

There are a lot of ways to read the LSASS process memory. Some methods are better than others. Using a tool called MiniDumpWriteDump, I was able to write a complete snapshot of the LSASS process, which I can then read.

Another tool is a Metasploit module called Mimikatz. This tool manipulates the LSASS process memory to read and output password hashes in plain text. The resulting file is often block by local antivirus software, but it can still retrieve by a determined attacker.

Identifying the Windows Credential Roaming Token

The Windows Credential Roaming Token is a small piece of software that allows for the movement of credentials from one computer system to another. A cryptographic session key is used to ensure the security of the communications between the two computing systems.

This feature is not new, and it has been in existence since Windows Server 2003 SP1; however, it removed in Windows Vista. In Windows 7, Windows Vista’s credential roaming functionality disabled. A few years later, Microsoft published a white paper describing this feature and its shortcomings.

In the early twenty-first century, the Russian-linked APT29 group, also known as the Dukes, Cozy Bear, SVR group, and Nobelium, started using the Windows Credential Roaming Token to its advantage. Specifically, the APT29 group successfully phished a European diplomatic entity, using this feature to its full potential.

Configuring Profile Management to sync Saved Passwords in Internet Explorer

Microsoft Credential Roaming allows you to store certificates in Active Directory and then roam with users. It also eliminates duplicate certificates, reducing certificate management overhead. You may have noticed that your saved passwords aren’t retaining between sessions. Fortunately, there are several ways to fix this.

One way is to use Profile Management to migrate your profiles between operating systems. This can speed up your logon time and minimize the amount of re-keying that occurs during a login.

Another option is to move your files into a container. While you can’t do this on Windows 10 yet, you can on Vista and Windows Server 2008. However, you can’t have the container sync with the file server.

Mandiant identified situations that could allow a threat actor to abuse the Windows Credential Roaming feature

In early 2022, Mandiant researchers discovered that APT29, a nation-state hacking group, was exploiting the Windows Credential Roaming feature. This is a lesser-known feature that allows users to roam certificates from one workstation to another.

The threat actor used this feature to authenticate as a user on a victim account. This allowed the attacker to access sensitive data on the victim’s products and services. In addition, the actor had access to the user’s cleartext password, allowing them to pose as the victim.

In some cases, the threat actor was successful, logging on to devices and acquiring access to the enterprise network. The threat actor also downloaded the victim’s customer list.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us