rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml

title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: experimental
description: Detects usage of cmdkey to look for cached credentials on the system
references:
    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019/01/16
modified: 2023/02/03
tags:
    - attack.credential_access
    - attack.t1003.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli:
        CommandLine|contains:
            - ' /l'
            - ' -l'
    condition: all of selection*
fields:
    - CommandLine
    - ParentCommandLine
    - User
falsepositives:
    - Legitimate administrative tasks
level: high
feat: even more updates 2023-02-03 20:17:09 +01:00			`title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 07f8bdc2-c9b3-472a-9817-5a670b872f53`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
feat: even more updates 2023-02-03 20:17:09 +01:00			`description: Detects usage of cmdkey to look for cached credentials on the system`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation`
			`- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/01/16`
feat: even more updates 2023-02-03 20:17:09 +01:00			`modified: 2023/02/03`
Missing tags 2019-03-06 00:02:37 +01:00			`tags:`
			`- attack.credential_access`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1003.005`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Rule Update (Batch 2) 2022-05-16 22:02:41 +01:00			`selection_img:`
			`- Image\|endswith: '\cmdkey.exe'`
Requested Changes 2022-05-17 15:04:26 +01:00			`- OriginalFileName: 'cmdkey.exe'`
Rule Update (Batch 2) 2022-05-16 22:02:41 +01:00			`selection_cli:`
refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00			`CommandLine\|contains:`
$frack113$ Remove unneeded star 2022-06-11 12:58:14 +02:00			`- ' /l'`
			`- ' -l'`
Rule Update (Batch 2) 2022-05-16 22:02:41 +01:00			`condition: all of selection*`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`fields:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- CommandLine`
			`- ParentCommandLine`
			`- User`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
refactor: changed cmdkey rule 2021-07-07 14:45:03 +02:00			`- Legitimate administrative tasks`
refactor: cmdkey extended coverage 2022-04-21 09:12:13 +02:00			`level: high`