Multiple Vault Web Credentials Read
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
11applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
12saved usernames and passwords. This may also be performed in preparation of lateral movement.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Multiple Vault Web Credentials Read"
19references = [
20 "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
21 "https://www.elastic.co/security-labs/detect-credential-access",
22]
23risk_score = 47
24rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
25setup = """## Setup
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
28events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
29Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
30`event.ingested` to @timestamp.
31For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
32"""
33severity = "medium"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"]
35type = "eql"
36
37query = '''
38sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
39
40 /* 2 consecutive vault reads from same pid for web creds */
41
42 [any where event.code : "5382" and
43 (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
44 not winlog.event_data.SubjectLogonId : "0x3e7" and
45 not winlog.event_data.Resource : "http://localhost/"]
46
47 [any where event.code : "5382" and
48 (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
49 not winlog.event_data.SubjectLogonId : "0x3e7" and
50 not winlog.event_data.Resource : "http://localhost/"]
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1003"
58name = "OS Credential Dumping"
59reference = "https://attack.mitre.org/techniques/T1003/"
60
61[[rule.threat.technique]]
62id = "T1555"
63name = "Credentials from Password Stores"
64reference = "https://attack.mitre.org/techniques/T1555/"
65[[rule.threat.technique.subtechnique]]
66id = "T1555.004"
67name = "Windows Credential Manager"
68reference = "https://attack.mitre.org/techniques/T1555/004/"
69
70
71
72[rule.threat.tactic]
73id = "TA0006"
74name = "Credential Access"
75reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping
- FirstTime Seen Account Performing DCSync
- Full User-Mode Dumps Enabled System-Wide
- Kerberos Pre-authentication Disabled for User