Credential Manager Access By Uncommon Application

calendar Dec 21, 2023 · attack.t1003 attack.credential_access  ·
Share on: linkedin copy

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Sigma rule (View on GitHub)

 1title: Credential Manager Access By Uncommon Application
 2id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
 3status: experimental
 4description: |
 5    Detects suspicious processes based on name and location that access the windows credential manager and vault.
 6    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function    
 7references:
 8    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
 9    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/10/11
12modified: 2023/12/18
13tags:
14    - attack.t1003
15    - attack.credential_access
16logsource:
17    category: file_access
18    product: windows
19    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
20detection:
21    selection:
22        FileName|contains:
23            - '\AppData\Local\Microsoft\Credentials\'
24            - '\AppData\Roaming\Microsoft\Credentials\'
25            - '\AppData\Local\Microsoft\Vault\'
26            - '\ProgramData\Microsoft\Vault\'
27    filter_system_folders:
28        Image|contains:
29            - ':\Program Files\'
30            - ':\Program Files (x86)\'
31            - ':\Windows\system32\'
32            - ':\Windows\SysWOW64\'
33    condition: selection and not 1 of filter_*
34falsepositives:
35    - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
36# Increase level after false positives filters are good enough
37level: medium

References

  • Mimikatz | DarthSidious

    The now very famous tool mimikatz can be among other things used to dump credentials, that is hashes and/or. The latest release of mimikatz can be found as a precompiled binary for Windows on genti...


    Read More

  • Windows Privilege Escalation Guide

    Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...


    Read More

Related rules

to-top