diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 6bc458264..b84f0301d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -5,9 +5,9 @@ description: Detects usage of cmdkey to look for cached credentials references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx -author: jmallette +author: jmallette, Florian Roth date: 2019/01/16 -modified: 2021/07/07 +modified: 2022/04/21 tags: - attack.credential_access - attack.t1003.005 @@ -17,7 +17,9 @@ logsource: detection: selection: Image|endswith: '\cmdkey.exe' - CommandLine|contains: ' /list' + CommandLine|contains: + - ' /list' + - ' -list' condition: selection fields: - CommandLine @@ -25,4 +27,4 @@ fields: - User falsepositives: - Legitimate administrative tasks -level: medium +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml new file mode 100644 index 000000000..bf9d1b0e9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml @@ -0,0 +1,24 @@ +title: Suspicious Key Manager Access +id: a4694263-59a8-4608-a3a0-6f8d3a51664c +description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +status: experimental +references: + - https://twitter.com/NinjaParanoid/status/1516442028963659777 +author: Florian Roth +date: 2022/04/21 +tags: + - attack.credential_access + - attack.t1555.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'keymgr' + - 'KRShowKeyMgr' + condition: selection +falsepositives: + - Administrative activity +level: high