feat(rules): Add Credential Manager access via known tools rule

Detects access to the Windows Credential Manager using built-in
utilities such as vaultcmd.exe, cmdkey.exe, rundll32.exe, and control.exe. Adversaries can abuse these native tools to enumerate or interact with stored credentials.

Author: rabbitstack

rules/credential_access_credential_access_from_backups_via_rundll32.yml

@@ -0,0 +1,31 @@
+name: Credential Manager access via known tools
+id: 5b4130f8-bc73-4890-b5f6-b03cddc75a52
+version: 1.0.0
+description: |
+  Detects access to the Windows Credential Manager using built-in
+  utilities such as vaultcmd.exe, cmdkey.exe, rundll32.exe, and
+  control.exe. Adversaries can abuse these native tools to enumerate
+  or interact with stored credentials.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.002
+  subtechnique.name: Security Account Manager
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
+
+condition: >
+  spawn_process and
+  ((ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and ps.cmdline imatches '*/list*') or
+  ((ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and ps.cmdline imatches '*keymgr.dll*KRShowKeyMgr*') or
+  ((ps.name ~= 'cmdkey.exe' or ps.pe.file.name ~= 'cmdkey.exe') and ps.cmdline imatches '*/list*') or
+  ((ps.name ~= 'control.exe' or ps.pe.file.name ~= 'control.exe') and ps.cmdline imatches '*keymgr.dll*')
+
+output: >
+  Access to credential manager via process %ps.exe
+severity: medium
+
+min-engine-version: 3.0.0