security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml
T
frack113 9f89d4c8c7 Redcannary 20220820
2022-08-20 17:12:31 +02:00

23 lines
660 B
YAML
Raw Blame History

title: Launch WebBrowserPassView Executable
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: experimental
description: Detect use of WebBrowserPassView.exe
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022/08/20
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Web Browser Password Viewer'
- Image|endswith: \WebBrowserPassView.exe
condition: selection
falsepositives:
- Legitimate use
level: medium
tags:
- attack.credential_access
- attack.t1555.003
Reference in New Issue View Git Blame Copy Permalink