security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

28 lines
780 B
YAML
Raw Blame History

title: Suspicious Key Manager Access
id: a4694263-59a8-4608-a3a0-6f8d3a51664c
status: test
description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
references:
- https://twitter.com/NinjaParanoid/status/1516442028963659777
author: Florian Roth (Nextron Systems)
date: 2022-04-21
modified: 2023-02-09
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'keymgr'
- 'KRShowKeyMgr'
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Reference in New Issue View Git Blame Copy Permalink