-
-
Notifications
You must be signed in to change notification settings - Fork 213
Expand file tree
/
Copy pathcredential_access_credential_manager_access_via_known_tools.yml
More file actions
29 lines (26 loc) · 1.23 KB
/
credential_access_credential_manager_access_via_known_tools.yml
File metadata and controls
29 lines (26 loc) · 1.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Credential Manager access via known tools
id: 5b4130f8-bc73-4890-b5f6-b03cddc75a52
version: 1.0.1
description: |
Detects access to the Windows Credential Manager using built-in
utilities such as vaultcmd.exe, cmdkey.exe, rundll32.exe, and
control.exe. Adversaries can abuse these native tools to enumerate
or interact with stored credentials.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.002
subtechnique.name: Security Account Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
condition: >
spawn_process and
(((ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and ps.cmdline imatches '*/list*') or
((ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and ps.cmdline imatches '*keymgr.dll*KRShowKeyMgr*') or
((ps.name ~= 'cmdkey.exe' or ps.pe.file.name ~= 'cmdkey.exe') and ps.cmdline imatches '*/list*') or
((ps.name ~= 'control.exe' or ps.pe.file.name ~= 'control.exe') and ps.cmdline imatches '*keymgr.dll*'))
severity: medium
min-engine-version: 3.0.0