security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml
T
frack113 48baf1187b Merge PR #4752 from @frack113 - Update rules to use the windash modifier 
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-03-11 12:01:30 +01:00

32 lines
1.1 KiB
YAML
Raw Blame History

title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: test
description: Detects usage of cmdkey to look for cached credentials on the system
references:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019/01/16
modified: 2024/03/05
tags:
- attack.credential_access
- attack.t1003.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdkey.exe'
- OriginalFileName: 'cmdkey.exe'
selection_cli:
CommandLine|contains|windash: ' -l'
condition: all of selection*
fields:
- CommandLine
- ParentCommandLine
- User
falsepositives:
- Legitimate administrative tasks
level: high
Reference in New Issue View Git Blame Copy Permalink