Enumerate Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Sigma rule (View on GitHub)
1title: Enumerate Credentials from Windows Credential Manager With PowerShell
2id: 603c6630-5225-49c1-8047-26c964553e0e
3status: test
4description: |
5 Adversaries may search for common password storage locations to obtain user credentials.
6 Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
9author: frack113
10date: 2021-12-20
11modified: 2022-12-25
12tags:
13 - attack.credential-access
14 - attack.t1555
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_cmd:
21 ScriptBlockText|contains|all:
22 - vaultcmd
23 - '/listcreds:'
24 selection_option:
25 ScriptBlockText|contains:
26 - 'Windows Credentials'
27 - 'Web Credentials'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Dump Credentials from Windows Credential Manager With PowerShell
- HackTool - SecurityXploded Execution
- Suspicious Serv-U Process Pattern
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript