{
	"id": "a204c805-4550-461d-b2d8-169264293cb8",
	"created_at": "2026-04-06T00:16:47.492728Z",
	"updated_at": "2026-04-10T03:23:51.854764Z",
	"deleted_at": null,
	"sha1_hash": "97ca923f18147f398b41e4ccb774c552f9243b52",
	"title": "CredEnumerateA function (wincred.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54731,
	"plain_text": "CredEnumerateA function (wincred.h) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-05 21:18:30 UTC\r\nThe CredEnumerate function enumerates the credentials from the user's credential set. The credential set used is\r\nthe one associated with the logon session of the current token. The token must not have the user's SID disabled.\r\nBOOL CredEnumerateA(\r\n [in] LPCSTR Filter,\r\n [in] DWORD Flags,\r\n [out] DWORD *Count,\r\n [out] PCREDENTIALA **Credential\r\n);\r\n[in] Filter\r\nPointer to a null-terminated string that contains the filter for the returned credentials. Only credentials with a\r\nTargetName matching the filter will be returned. The filter specifies a name prefix followed by an asterisk. For\r\ninstance, the filter \"FRED*\" will return all credentials with a TargetName beginning with the string \"FRED\".\r\nIf NULL is specified, all credentials will be returned.\r\n[in] Flags\r\nThe value of this parameter can be zero or more of the following values combined with a bitwise-OR operation.\r\nValue Meaning\r\nCRED_ENUMERATE_ALL_CREDENTIALS\r\n0x1\r\nThis function enumerates all of the credentials in the\r\nuser's credential set. The target name of each credential\r\nis returned in the \"namespace:attribute=target\" format. If\r\nthis flag is set and the Filter parameter is not NULL, the\r\nfunction fails and returns ERROR_INVALID_FLAGS.\r\nWindows Server 2003 and Windows XP:  This flag is\r\nnot supported.\r\n[out] Count\r\nCount of the credentials returned in the Credentials array.\r\n[out] Credential\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea\r\nPage 1 of 3\n\nPointer to an array of pointers to credentials. The returned credential is a single allocated block. Any pointers\r\ncontained within the buffer are pointers to locations within this single allocated block. The single returned buffer\r\nmust be freed by calling CredFree.\r\nThe function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a\r\nmore specific status code. The following status codes can be returned.\r\nReturn code/value Description\r\nERROR_NOT_FOUND\r\n1168 (0x490)\r\nNo credential exists matching the specified Filter.\r\nERROR_NO_SUCH_LOGON_SESSION\r\n1312 (0x520)\r\nThe logon session does not exist or there is no credential set\r\nassociated with this logon session. Network logon sessions do\r\nnot have an associated credential set.\r\nERROR_INVALID_FLAGS\r\n1004 (0x3EC)\r\nA flag that is not valid was specified for the Flags parameter,\r\nor CRED_ENUMERATE_ALL_CREDENTIALS is\r\nspecified for the Flags parameter and the Filter parameter is\r\nnot NULL.\r\nNote\r\nThe wincred.h header defines CredEnumerate as an alias that automatically selects the ANSI or Unicode version\r\nof this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that is not encoding-neutral can lead to mismatches that result in compilation or runtime\r\nerrors. For more information, see Conventions for Function Prototypes.\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nTarget Platform Windows\r\nHeader wincred.h\r\nLibrary Advapi32.lib\r\nDLL Advapi32.dll\r\nCredFree\r\nGetLastError\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea\r\nPage 2 of 3\n\nSource: https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea"
	],
	"report_names": [
		"nf-wincred-credenumeratea"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97ca923f18147f398b41e4ccb774c552f9243b52.pdf",
		"text": "https://archive.orkl.eu/97ca923f18147f398b41e4ccb774c552f9243b52.txt",
		"img": "https://archive.orkl.eu/97ca923f18147f398b41e4ccb774c552f9243b52.jpg"
	}
}