Devicecredentialdeployment on LOLBAS
Archived: 2026-04-05 20:22:22 UTC
Device Credential Deployment
Paths:
C:\Windows\System32\DeviceCredentialDeployment.exe
Acknowledgements:
Elliot Killick (@elliotkillick)
Detections:
IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
Sigma: proc_creation_win_lolbin_device_credential_deployment.yml
Conceal
1. Grab the console window handle and set it to hidden
DeviceCredentialDeployment
Use case
Can be used to stealthily run a console application (e.g. cmd.exe) in the background
Privileges required
User
Operating systems
Windows 10
ATT&CK® technique
T1564: Hide Artifacts
Source: https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/
https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/
Page 1 of 1