Searching for Saved Credentials via VaultCmd
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
11applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
12saved usernames and passwords. This may also be performed in preparation of lateral movement.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.process-*",
18 "logs-windows.*",
19 "endgame-*",
20 "logs-system.security*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Searching for Saved Credentials via VaultCmd"
25references = [
26 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
27 "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
28 "https://www.elastic.co/security-labs/detect-credential-access",
29]
30risk_score = 47
31rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
32setup = """## Setup
33
34If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
35events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
36Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
37`event.ingested` to @timestamp.
38For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
39"""
40severity = "medium"
41tags = [
42 "Domain: Endpoint",
43 "OS: Windows",
44 "Use Case: Threat Detection",
45 "Tactic: Credential Access",
46 "Data Source: Elastic Endgame",
47 "Data Source: Elastic Defend",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
55 process.args:"/list*"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66[[rule.threat.technique]]
67id = "T1555"
68name = "Credentials from Password Stores"
69reference = "https://attack.mitre.org/techniques/T1555/"
70[[rule.threat.technique.subtechnique]]
71id = "T1555.004"
72name = "Windows Credential Manager"
73reference = "https://attack.mitre.org/techniques/T1555/004/"
74
75
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More -
-
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped