Multiple Vault Web Credentials Read

Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/08/30"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
13applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
14saved usernames and passwords. This may also be performed in preparation of lateral movement.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Multiple Vault Web Credentials Read"
21references = [
22    "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
23    "https://www.elastic.co/security-labs/detect-credential-access",
24]
25risk_score = 47
26rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "medium"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System"]
37type = "eql"
38
39query = '''
40sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
41
42 /* 2 consecutive vault reads from same pid for web creds */
43
44 [any where event.code : "5382" and
45  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
46  not winlog.event_data.SubjectLogonId : "0x3e7" and 
47  not winlog.event_data.Resource : "http://localhost/"]
48
49 [any where event.code : "5382" and
50  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
51  not winlog.event_data.SubjectLogonId : "0x3e7" and 
52  not winlog.event_data.Resource : "http://localhost/"]
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1003"
60name = "OS Credential Dumping"
61reference = "https://attack.mitre.org/techniques/T1003/"
62
63[[rule.threat.technique]]
64id = "T1555"
65name = "Credentials from Password Stores"
66reference = "https://attack.mitre.org/techniques/T1555/"
67[[rule.threat.technique.subtechnique]]
68id = "T1555.004"
69name = "Windows Credential Manager"
70reference = "https://attack.mitre.org/techniques/T1555/004/"
71
72
73
74[rule.threat.tactic]
75id = "TA0006"
76name = "Credential Access"
77reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top