Description

Inventory high-confidence stored credential artifacts, protected credential stores, and select authentication-related configuration or session locations on Windows using a strict allowlist and PowerShell/.NET APIs only.

Documentation

Detailed Description

High-Confidence Stored Credential Artifact Inventory is a defensive Windows triage script designed to identify likely locations of stored credentials with substantially lower false positives than broad filename or keyword searches.

Instead of recursively scanning for generic terms like credential, token, azure, or aws, this script uses a strict allowlist of known high-signal paths and registry locations. This makes the output more useful for security reviews, incident response triage, credential hygiene assessments, and endpoint hardening.

The script returns only PSCustomObject output and does not invoke external executables. It uses built-in PowerShell and .NET APIs to:

Emit a single Context record describing the current execution context.
Check a curated set of filesystem locations associated with:
- Windows Credential Manager
- Windows Vault
- DPAPI-related storage
- SSH private keys and configuration
- Git credential storage
- AWS, Azure, and Google Cloud local auth material
- Docker, Kubernetes, npm, PyPI, netrc, and NuGet auth-related config
Optionally inspect selected registry keys for:
- PuTTY sessions and host keys
- WinSCP sessions
- OpenSSH configuration indicators
Classify each result by:
- Category
- ArtifactType
- Confidence
- Reason

This script is intentionally tuned for high-confidence artifact discovery, not broad discovery. It is best suited for identifying likely credential-bearing material while minimizing noise from caches, package files, IDE installations, DLLs, temp files, and developer tooling artifacts.

Output Record Types

Context

A single record describing the user and host context in which the script ran.

Artifact

A filesystem-backed record representing a discovered file or directory from the allowlist.

RegistryIndicator

A registry-backed record indicating whether a selected key exists and which non-PowerShell properties were present.

Artifact Types

ArtifactType	Meaning
`StoredCredential`	High-confidence location likely to hold credential material directly.
`ProtectedStore`	Protected operating system credential or key storage location.
`ConfigWithPossibleSecrets`	Configuration file or settings store that may contain secrets, tokens, usernames, feed URLs, or auth references.
`SessionOrHostHistory`	Session history, saved targets, usernames, or prior connection metadata rather than direct secrets.
`ConfigIndicator`	A lower-confidence indicator showing related auth tooling or configuration exists.

Parameters

Name	Type	Required	Default	Description
`IncludeRegistryIndicators`	`bool`	No	`$true`	When enabled, includes registry-based indicators for PuTTY, WinSCP, and OpenSSH-related locations.

High-Signal Target Categories

Windows Credential and Protected Storage

Category	Typical Purpose	Confidence
`WindowsCredentialManager`	Per-user Windows credential blobs	High
`WindowsVault`	Windows Vault protected storage	High
`DPAPI`	DPAPI-related protected key material	Medium

Cloud and Developer Authentication Stores

Category	Typical Purpose	Confidence
`AWS`	Shared credentials and config	High / Medium
`Azure`	Azure CLI token/profile material	High / Medium
`GCloud`	Google ADC and local credential database	High
`Git`	Git credential storage and helper configuration	High / Low
`Docker`	Registry auth-related configuration	Medium
`Kubernetes`	Cluster access and token/cert references	Medium
`NPM`	Registry token configuration	Medium
`PyPI`	Repository credential configuration	Medium
`Netrc`	Common plaintext credential file format	High
`NuGet`	Private feed and auth-related configuration	Medium

SSH and Remote Access Context

Category	Typical Purpose	Confidence
`SSH`	Private keys, connection configuration, known hosts	High / Medium / Low
`PuTTY`	Saved sessions and SSH host key history	Medium / Low
`WinSCP`	Saved sessions and endpoint/auth configuration	Medium
`OpenSSH`	Configuration presence indicator	Low

Returned Object Fields

Context Record Fields

Field	Description
`RecordType`	Always `Context`.
`Username`	Current user name from the environment.
`UserProfile`	Current user profile path.
`ComputerName`	Current computer name.
`IsAdministrator`	Whether the current token is a member of the local Administrators group.
`TimestampUtc`	UTC timestamp when the context record was created.

Artifact Record Fields

Field	Description
`RecordType`	Always `Artifact`.
`Category`	Broad technology or application family associated with the finding.
`ArtifactType`	Classification of the artifact’s likely security significance.
`Confidence`	Analyst-facing confidence level for the finding.
`Reason`	Short explanation of why the path is included.
`FullName`	Full path to the file or directory.
`Name`	File or directory name only.
`ParentPath`	Parent directory path.
`IsDirectory`	Indicates whether the artifact is a directory.
`LengthBytes`	File size in bytes for files; null for directories.
`LastWriteTimeUtc`	Last modified timestamp in UTC.
`CreationTimeUtc`	Creation timestamp in UTC.
`Attributes`	File attribute flags as a string.
`IsHidden`	Whether the hidden attribute is set.
`IsReadOnly`	Whether the read-only attribute is set.

RegistryIndicator Record Fields

Field	Description
`RecordType`	Always `RegistryIndicator`.
`Category`	Technology or application family.
`ArtifactType`	Classification of the registry finding.
`Confidence`	Confidence level for the finding.
`Reason`	Why the registry location is relevant.
`RegistryPath`	Registry path queried.
`Accessible`	Whether the registry path could be queried successfully.
`PropertyNames`	Non-PowerShell property names found at the registry path.
`PropertyCount`	Count of non-PowerShell properties found.

Confidence Guidance

Confidence	Meaning
`High`	Strong indicator of stored credentials or protected credential storage.
`Medium`	Likely auth-related configuration or storage that may contain secrets or access context.
`Low`	Environmental or historical context that may help triage but is not itself strong evidence of stored credentials.

Notes

known_hosts and PuTTY host keys are useful context, but they are not direct credentials.
NuGet.Config, docker config.json, and kube config may contain auth material depending on how the environment is configured, so they are intentionally classified below direct credential stores.
Windows Credentials, Vault, and DPAPI-related directories are high-value indicators of stored or protected auth material.
The script is intentionally conservative and does not perform broad recursive discovery, which helps reduce false positives significantly.

Example Output

[
  {
    "RecordType": "Context",
    "Username": "helpdesk",
    "UserProfile": "C:\\Users\\helpdesk",
    "ComputerName": "DEV",
    "IsAdministrator": false,
    "TimestampUtc": "2026-03-08T03:26:18.7551284Z"
  },
  {
    "RecordType": "Artifact",
    "Category": "WindowsCredentialManager",
    "ArtifactType": "StoredCredential",
    "Confidence": "High",
    "Reason": "Windows per-user credential blobs",
    "FullName": "C:\\Users\\helpdesk\\AppData\\Local\\Microsoft\\Credentials\\9DD3DA048CBCA52F94F7CE1BD4692028",
    "Name": "9DD3DA048CBCA52F94F7CE1BD4692028",
    "ParentPath": "C:\\Users\\helpdesk\\AppData\\Local\\Microsoft\\Credentials",
    "IsDirectory": false,
    "LengthBytes": 816,
    "LastWriteTimeUtc": "2026-03-07T17:12:10Z",
    "CreationTimeUtc": "2026-03-07T17:12:10Z",
    "Attributes": "Archive",
    "IsHidden": false,
    "IsReadOnly": false
  },
  {
    "RecordType": "Artifact",
    "Category": "SSH",
    "ArtifactType": "SessionOrHostHistory",
    "Confidence": "Low",
    "Reason": "SSH host history, not a credential",
    "FullName": "C:\\Users\\helpdesk\\.ssh\\known_hosts",
    "Name": "known_hosts",
    "ParentPath": "C:\\Users\\helpdesk\\.ssh",
    "IsDirectory": false,
    "LengthBytes": 1660,
    "LastWriteTimeUtc": "2026-03-07T17:46:16.1607257Z",
    "CreationTimeUtc": "2024-11-20T05:26:11.6353868Z",
    "Attributes": "Archive",
    "IsHidden": false,
    "IsReadOnly": false
  },
  {
    "RecordType": "Artifact",
    "Category": "NuGet",
    "ArtifactType": "ConfigWithPossibleSecrets",
    "Confidence": "Medium",
    "Reason": "NuGet config may reference private feeds and auth settings",
    "FullName": "C:\\Users\\helpdesk\\AppData\\Roaming\\NuGet\\NuGet.Config",
    "Name": "NuGet.Config",
    "ParentPath": "C:\\Users\\helpdesk\\AppData\\Roaming\\NuGet",
    "IsDirectory": false,
    "LengthBytes": 541,
    "LastWriteTimeUtc": "2024-04-08T15:32:03.854691Z",
    "CreationTimeUtc": "2024-04-08T03:29:35.4990623Z",
    "Attributes": "Archive",
    "IsHidden": false,
    "IsReadOnly": false
  },
  {
    "RecordType": "RegistryIndicator",
    "Category": "WinSCP",
    "ArtifactType": "ConfigWithPossibleSecrets",
    "Confidence": "Medium",
    "Reason": "WinSCP saved sessions may reveal endpoints, usernames, and auth configuration",
    "RegistryPath": "HKCU:\\Software\\WinSCP 2\\Sessions",
    "Accessible": true,
    "PropertyNames": [
      "ExampleSession"
    ],
    "PropertyCount": 1
  }
]