New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Sigma rule (View on GitHub)
1title: New Generic Credentials Added Via Cmdkey.EXE
2id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
3status: test
4description: |
5 Detects usage of "cmdkey.exe" to add generic credentials.
6 As an example, this can be used before connecting to an RDP session via command line interface.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-03
11modified: 2024-03-05
12tags:
13 - attack.credential-access
14 - attack.t1003.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\cmdkey.exe'
21 - OriginalFileName: 'cmdkey.exe'
22 selection_cli_generic:
23 CommandLine|contains|windash: ' -g' # Generic
24 selection_cli_user:
25 CommandLine|contains|windash: ' -u' # User
26 selection_cli_password:
27 CommandLine|contains|windash: ' -p' # Password
28 condition: all of selection_*
29falsepositives:
30 - Legitimate usage for administration purposes
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Dumping of Sensitive Hives Via Reg.EXE
- HackTool - Credential Dumping Tools Named Pipe Created