Searching for Saved Credentials via VaultCmd

calendar Oct 21, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: System Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne  ·
Share on: linkedin copy

Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/19"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 4maturity = "production"
 5updated_date = "2024/10/17"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
13applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
14saved usernames and passwords. This may also be performed in preparation of lateral movement.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.process-*",
20    "logs-windows.forwarded*",
21    "logs-windows.sysmon_operational-*",
22    "endgame-*",
23    "logs-system.security*",
24    "logs-m365_defender.event-*",
25    "logs-sentinel_one_cloud_funnel.*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Searching for Saved Credentials via VaultCmd"
30references = [
31    "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
32    "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
33    "https://www.elastic.co/security-labs/detect-credential-access",
34]
35risk_score = 47
36rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
37setup = """## Setup
38
39If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
40events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
41Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
42`event.ingested` to @timestamp.
43For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
44"""
45severity = "medium"
46tags = [
47    "Domain: Endpoint",
48    "OS: Windows",
49    "Use Case: Threat Detection",
50    "Tactic: Credential Access",
51    "Data Source: Elastic Endgame",
52    "Data Source: Elastic Defend",
53    "Data Source: System",
54    "Data Source: Microsoft Defender for Endpoint",
55    "Data Source: Sysmon",
56    "Data Source: SentinelOne",
57]
58timestamp_override = "event.ingested"
59type = "eql"
60
61query = '''
62process where host.os.type == "windows" and event.type == "start" and
63  (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
64  process.args:"/list*"
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1003"
72name = "OS Credential Dumping"
73reference = "https://attack.mitre.org/techniques/T1003/"
74
75[[rule.threat.technique]]
76id = "T1555"
77name = "Credentials from Password Stores"
78reference = "https://attack.mitre.org/techniques/T1555/"
79[[rule.threat.technique.subtechnique]]
80id = "T1555.004"
81name = "Windows Credential Manager"
82reference = "https://attack.mitre.org/techniques/T1555/004/"
83
84
85
86[rule.threat.tactic]
87id = "TA0006"
88name = "Credential Access"
89reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top