-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathcredential_access_suspicious_vault_client_dll_load.yml
More file actions
67 lines (64 loc) · 3.46 KB
/
credential_access_suspicious_vault_client_dll_load.yml
File metadata and controls
67 lines (64 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Suspicious Vault client DLL load
id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
version: 1.0.6
description: |
Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided
by the Credential Vault Client Library to enumerate or harvest saved credentials.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1555
technique.name: Credentials from Password Stores
technique.ref: https://attack.mitre.org/techniques/T1555/
subtechnique.id: T1555.004
subtechnique.name: Windows Credential Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
references:
- https://redcanary.com/blog/incident-response/active-breach-evading-defenses/
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
condition: >
sequence
maxspan 2m
by ps.uuid
|spawn_process and
ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and
not (ps.exe imatches
(
'?:\\Windows\\System32\\MDMAppInstaller.exe',
'?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
'?:\\Windows\\uus\\*\\WaaSMedicAgent.exe',
'?:\\Windows\\System32\\UCConfigTask.exe',
'?:\\Windows\\System32\\DllHost.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe',
'?:\\Windows\\winsxs\\*\\TiWorker.exe',
'?:\\Windows\\System32\\RuntimeBroker.exe',
'?:\\WINDOWS\\system32\\UCConfigTask.exe',
'?:\\Program Files\\WindowsApps\\Microsoft.*.exe',
'?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe',
'?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe',
'?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe',
'?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
'?:\\Windows\\System32\\PickerHost.exe',
'?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe',
'?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe',
'?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe'
) or
(ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
(ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
(ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
(ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
)
|
|load_dll and dll.name ~= 'vaultcli.dll'|
output: >
Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting
severity: high
min-engine-version: 3.0.0