Multiple Vault Web Credentials Read

  1[metadata]
  2creation_date = "2022/08/30"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
 11applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
 12saved usernames and passwords. This may also be performed in preparation of lateral movement.
 13"""
 14from = "now-9m"
 15index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Multiple Vault Web Credentials Read"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Multiple Vault Web Credentials Read
 25
 26Windows Credential Manager stores credentials for web logins, apps, and networks, facilitating seamless user access. Adversaries exploit this by extracting stored credentials, potentially aiding lateral movement within networks. The detection rule identifies suspicious activity by flagging consecutive credential reads from the same process, excluding benign actions like localhost access, thus highlighting potential credential dumping attempts.
 27
 28### Possible investigation steps
 29
 30- Review the process associated with the flagged PID to determine if it is a legitimate application or potentially malicious. Check for known software or unusual executables.
 31- Investigate the source and destination of the web credentials read by examining the winlog.event_data.Resource field to identify any suspicious or unexpected URLs.
 32- Check the winlog.computer_name to identify the affected system and assess whether it is a high-value target or has been involved in previous suspicious activities.
 33- Analyze the timeline of events around the alert to identify any preceding or subsequent suspicious activities that may indicate a broader attack pattern.
 34- Verify the user context by examining the winlog.event_data.SubjectLogonId to ensure the activity was not performed by a privileged or administrative account without proper authorization.
 35- Cross-reference the event with other security logs or alerts to identify any correlated activities that might suggest a coordinated attack or compromise.
 36
 37### False positive analysis
 38
 39- Localhost access is a common false positive since the rule excludes localhost reads. Ensure that any legitimate applications accessing credentials via localhost are properly whitelisted to prevent unnecessary alerts.
 40- Automated scripts or applications that frequently access web credentials for legitimate purposes may trigger the rule. Identify these processes and create exceptions for them to reduce noise.
 41- System maintenance or updates might involve credential reads that are benign. Coordinate with IT teams to schedule these activities and temporarily adjust the rule sensitivity or add exceptions during these periods.
 42- Security tools or monitoring software that perform regular checks on credential integrity could be flagged. Verify these tools and add them to an exception list if they are part of the organization's security infrastructure.
 43- User behavior such as frequent password changes or credential updates might cause alerts. Educate users on the impact of their actions and consider adjusting the rule to accommodate expected behavior patterns.
 44
 45### Response and remediation
 46
 47- Isolate the affected system from the network to prevent potential lateral movement by the adversary.
 48- Terminate the suspicious process identified by the process ID (pid) involved in the credential reads to stop further credential access.
 49- Conduct a thorough review of the affected system for any additional signs of compromise, such as unauthorized user accounts or scheduled tasks.
 50- Change passwords for any accounts that may have been exposed, focusing on those stored in the Windows Credential Manager.
 51- Implement network segmentation to limit access to critical systems and data, reducing the risk of lateral movement.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
 53- Enhance monitoring and logging on the affected system and similar endpoints to detect any future attempts at credential dumping or unauthorized access."""
 54references = [
 55    "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
 56    "https://www.elastic.co/security-labs/detect-credential-access",
 57]
 58risk_score = 47
 59rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Credential Access",
 66    "Data Source: Windows Security Event Logs",
 67    "Resources: Investigation Guide",
 68]
 69type = "eql"
 70
 71query = '''
 72sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
 73
 74 /* 2 consecutive vault reads from same pid for web creds */
 75
 76 [any where event.code : "5382" and
 77  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
 78  not winlog.event_data.SubjectLogonId : "0x3e7" and
 79  not winlog.event_data.Resource : "http://localhost/"]
 80
 81 [any where event.code : "5382" and
 82  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
 83  not winlog.event_data.SubjectLogonId : "0x3e7" and
 84  not winlog.event_data.Resource : "http://localhost/"]
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1003"
 92name = "OS Credential Dumping"
 93reference = "https://attack.mitre.org/techniques/T1003/"
 94
 95[[rule.threat.technique]]
 96id = "T1555"
 97name = "Credentials from Password Stores"
 98reference = "https://attack.mitre.org/techniques/T1555/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1555.004"
101name = "Windows Credential Manager"
102reference = "https://attack.mitre.org/techniques/T1555/004/"
103
104
105
106[rule.threat.tactic]
107id = "TA0006"
108name = "Credential Access"
109reference = "https://attack.mitre.org/tactics/TA0006/"