Credential Manager Access By Uncommon Applications

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Sigma rule (View on GitHub)

 1title: Credential Manager Access By Uncommon Applications
 2id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
 3status: experimental
 4description: |
 5    Detects suspicious processes based on name and location that access the windows credential manager and vault.
 6    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function    
 7references:
 8    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
 9    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-10-11
12modified: 2024-07-29
13tags:
14    - attack.t1003
15    - attack.credential-access
16logsource:
17    category: file_access
18    product: windows
19    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
20detection:
21    selection:
22        FileName|contains:
23            - '\AppData\Local\Microsoft\Credentials\'
24            - '\AppData\Roaming\Microsoft\Credentials\'
25            - '\AppData\Local\Microsoft\Vault\'
26            - '\ProgramData\Microsoft\Vault\'
27    filter_system_folders:
28        Image|startswith:
29            - 'C:\Program Files\'
30            - 'C:\Program Files (x86)\'
31            - 'C:\Windows\system32\'
32            - 'C:\Windows\SysWOW64\'
33    condition: selection and not 1 of filter_*
34falsepositives:
35    - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
36# Increase level after false positives filters are good enough
37level: medium

References

Related rules

to-top