security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml
T
Nasreddine Bencherchali 63888f7a53 feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00

28 lines
788 B
YAML
Raw Blame History

title: Suspicious Key Manager Access
id: a4694263-59a8-4608-a3a0-6f8d3a51664c
status: experimental
description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
references:
- https://twitter.com/NinjaParanoid/status/1516442028963659777
author: Florian Roth (Nextron Systems)
date: 2022/04/21
modified: 2023/02/09
tags:
- attack.credential_access
- attack.t1555.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'keymgr'
- 'KRShowKeyMgr'
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Reference in New Issue View Git Blame Copy Permalink