Merge pull request #2932 from SigmaHQ/rule-devel

Password Recon Rules

rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml

@@ -5,9 +5,9 @@ description: Detects usage of cmdkey to look for cached credentials
 references:
     - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
     - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
-author: jmallette
+author: jmallette, Florian Roth
 date: 2019/01/16
-modified: 2021/07/07
+modified: 2022/04/21
 tags:
     - attack.credential_access
     - attack.t1003.005
@@ -17,7 +17,9 @@ logsource:
 detection:
     selection:
         Image|endswith: '\cmdkey.exe'
-        CommandLine|contains: ' /list'
+        CommandLine|contains:
+            - ' /list'
+            - ' -list'
     condition: selection
 fields:
     - CommandLine
@@ -25,4 +27,4 @@ fields:
     - User
 falsepositives:
     - Legitimate administrative tasks
-level: medium
+level: high

rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml

@@ -0,0 +1,24 @@
+title: Suspicious Key Manager Access
+id: a4694263-59a8-4608-a3a0-6f8d3a51664c
+description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
+status: experimental
+references:
+   - https://twitter.com/NinjaParanoid/status/1516442028963659777
+author: Florian Roth
+date: 2022/04/21
+tags:
+   - attack.credential_access 
+   - attack.t1555.004
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection:
+      Image|endswith: '\rundll32.exe'
+      CommandLine|contains|all:
+         - 'keymgr'
+         - 'KRShowKeyMgr'
+   condition: selection
+falsepositives:
+   - Administrative activity
+level: high