Searching for Saved Credentials via VaultCmd
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
13applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
14saved usernames and passwords. This may also be performed in preparation of lateral movement.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Searching for Saved Credentials via VaultCmd"
31references = [
32 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
33 "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
34 "https://www.elastic.co/security-labs/detect-credential-access",
35]
36risk_score = 47
37rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
38severity = "medium"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Credential Access",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: System",
47 "Data Source: Microsoft Defender for Endpoint",
48 "Data Source: Sysmon",
49 "Data Source: SentinelOne",
50 "Data Source: Crowdstrike",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and
57 (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
58 process.args:"/list*"
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1003"
66name = "OS Credential Dumping"
67reference = "https://attack.mitre.org/techniques/T1003/"
68
69[[rule.threat.technique]]
70id = "T1555"
71name = "Credentials from Password Stores"
72reference = "https://attack.mitre.org/techniques/T1555/"
73[[rule.threat.technique.subtechnique]]
74id = "T1555.004"
75name = "Windows Credential Manager"
76reference = "https://attack.mitre.org/techniques/T1555/004/"
77
78
79
80[rule.threat.tactic]
81id = "TA0006"
82name = "Credential Access"
83reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More -
-
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Credential Acquisition via Registry Hive Dumping
- Microsoft IIS Connection Strings Decryption
- NTDS or SAM Database File Copied
- Potential Veeam Credential Access Command
- Symbolic Link to Shadow Copy Created