security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fda9c753e2dcbefeebfdb1505428feeeb2d5fef1
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml
T
Nasreddine Bencherchali 2e689eca54 Quick Fix 
- Removed "Contains" modifier from "OriginalFileName" across  all rules.
- Added "Image" field back in the rules highlighted by Florian
2022-05-13 11:52:31 +01:00

26 lines
833 B
YAML
Raw Blame History

title: Windows Credential Manager Access via VaultCmd
id: 58f50261-c53b-4c88-bd12-1d71f12eda4c
status: experimental
description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
author: frack113
date: 2022/04/08
modified: 2022/05/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VaultCmd.exe'
- OriginalFileName: 'VAULTCMD.EXE'
selection_cli:
CommandLine|contains: '/listcreds:'
condition: all of selection*
falsepositives:
- Unknown
level: medium
tags:
- attack.credential_access
- attack.t1555.004
Reference in New Issue View Git Blame Copy Permalink