Searching for Saved Credentials via VaultCmd
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
13applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
14saved usernames and passwords. This may also be performed in preparation of lateral movement.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Searching for Saved Credentials via VaultCmd"
31references = [
32 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
33 "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
34 "https://www.elastic.co/security-labs/detect-credential-access",
35]
36risk_score = 47
37rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
38severity = "medium"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Credential Access",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: System",
47 "Data Source: Microsoft Defender for Endpoint",
48 "Data Source: Sysmon",
49 "Data Source: SentinelOne",
50 "Data Source: Crowdstrike",
51 "Resources: Investigation Guide",
52]
53timestamp_override = "event.ingested"
54type = "eql"
55
56query = '''
57process where host.os.type == "windows" and event.type == "start" and
58 (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
59 process.args:"/list*"
60'''
61note = """## Triage and analysis
62
63> **Disclaimer**:
64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
65
66### Investigating Searching for Saved Credentials via VaultCmd
67
68Windows Credential Manager stores credentials for websites, applications, and networks. Adversaries exploit this by using VaultCmd to list or extract these credentials, aiding in lateral movement. The detection rule identifies such abuse by monitoring the execution of VaultCmd with specific arguments, flagging potential credential access attempts. This helps in early detection of unauthorized credential access activities.
69
70### Possible investigation steps
71
72- Review the process execution details to confirm the presence of vaultcmd.exe with the /list* argument, as this indicates an attempt to list saved credentials.
73- Check the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.
74- Investigate the parent process of vaultcmd.exe to understand how it was initiated and whether it was triggered by a legitimate application or script.
75- Examine recent login activity and network connections from the host to identify any signs of lateral movement or unauthorized access attempts.
76- Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious behavior.
77- Review endpoint security logs from tools like Microsoft Defender for Endpoint or Crowdstrike for additional context or corroborating evidence of credential access attempts.
78
79### False positive analysis
80
81- Routine administrative tasks using VaultCmd for legitimate credential management can trigger alerts. To manage this, create exceptions for known administrative accounts or scheduled tasks that regularly use VaultCmd with the /list argument.
82- Security software or system management tools that perform regular audits of stored credentials might also cause false positives. Identify these tools and exclude their processes from triggering the rule.
83- Automated scripts or backup processes that access Credential Manager for legitimate purposes may be flagged. Review these scripts and whitelist them if they are verified as non-threatening.
84- User-initiated credential management activities, such as listing credentials for personal use, can be mistaken for malicious behavior. Educate users on the implications of using VaultCmd and consider excluding specific user accounts if necessary.
85
86### Response and remediation
87
88- Immediately isolate the affected system from the network to prevent potential lateral movement and further credential access.
89- Terminate any suspicious processes associated with VaultCmd.exe to halt unauthorized credential dumping activities.
90- Conduct a thorough review of the affected system's event logs and process execution history to identify any additional malicious activities or compromised accounts.
91- Reset passwords for any accounts that may have been exposed or accessed through the Credential Manager to mitigate unauthorized access.
92- Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools.
93- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach.
94- Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights."""
95
96
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1003"
101name = "OS Credential Dumping"
102reference = "https://attack.mitre.org/techniques/T1003/"
103
104[[rule.threat.technique]]
105id = "T1555"
106name = "Credentials from Password Stores"
107reference = "https://attack.mitre.org/techniques/T1555/"
108[[rule.threat.technique.subtechnique]]
109id = "T1555.004"
110name = "Windows Credential Manager"
111reference = "https://attack.mitre.org/techniques/T1555/004/"
112
113
114
115[rule.threat.tactic]
116id = "TA0006"
117name = "Credential Access"
118reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Searching for Saved Credentials via VaultCmd
Windows Credential Manager stores credentials for websites, applications, and networks. Adversaries exploit this by using VaultCmd to list or extract these credentials, aiding in lateral movement. The detection rule identifies such abuse by monitoring the execution of VaultCmd with specific arguments, flagging potential credential access attempts. This helps in early detection of unauthorized credential access activities.
Possible investigation steps
- Review the process execution details to confirm the presence of vaultcmd.exe with the /list* argument, as this indicates an attempt to list saved credentials.
- Check the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.
- Investigate the parent process of vaultcmd.exe to understand how it was initiated and whether it was triggered by a legitimate application or script.
- Examine recent login activity and network connections from the host to identify any signs of lateral movement or unauthorized access attempts.
- Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious behavior.
- Review endpoint security logs from tools like Microsoft Defender for Endpoint or Crowdstrike for additional context or corroborating evidence of credential access attempts.
False positive analysis
- Routine administrative tasks using VaultCmd for legitimate credential management can trigger alerts. To manage this, create exceptions for known administrative accounts or scheduled tasks that regularly use VaultCmd with the /list argument.
- Security software or system management tools that perform regular audits of stored credentials might also cause false positives. Identify these tools and exclude their processes from triggering the rule.
- Automated scripts or backup processes that access Credential Manager for legitimate purposes may be flagged. Review these scripts and whitelist them if they are verified as non-threatening.
- User-initiated credential management activities, such as listing credentials for personal use, can be mistaken for malicious behavior. Educate users on the implications of using VaultCmd and consider excluding specific user accounts if necessary.
Response and remediation
- Immediately isolate the affected system from the network to prevent potential lateral movement and further credential access.
- Terminate any suspicious processes associated with VaultCmd.exe to halt unauthorized credential dumping activities.
- Conduct a thorough review of the affected system's event logs and process execution history to identify any additional malicious activities or compromised accounts.
- Reset passwords for any accounts that may have been exposed or accessed through the Credential Manager to mitigate unauthorized access.
- Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools.
- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach.
- Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights.
References
Related rules
- Microsoft IIS Connection Strings Decryption
- NTDS Dump via Wbadmin
- NTDS or SAM Database File Copied
- Potential Local NTLM Relay via HTTP
- Potential Veeam Credential Access Command