Create T1555.004.yaml (#1843)

* Create T1555.004.yaml * remove blank auto-generated guid * use standard quotes Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-04-04 08:49:57 -04:00
parent 14f6ec8047
commit 3fb3fb2a84
1 changed files with 16 additions and 0 deletions
@@ -0,0 +1,16 @@
+attack_technique: T1555.004
+display_name: 'Credentials from Password Stores: Windows Credential Manager'
+atomic_tests:
+- name: Access Saved Credentials via VaultCmd
+  description: |
+    List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
+    Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos
+    https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
+    https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      vaultcmd /listcreds:"Windows Credentials"