New Generic Credentials Added Via Cmdkey.EXE

calendar Nov 26, 2025 · attack.credential-access attack.t1003.005  ·
Share on: linkedin copy

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

Sigma rule (View on GitHub)

 1title: New Generic Credentials Added Via Cmdkey.EXE
 2id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
 3status: test
 4description: |
 5    Detects usage of "cmdkey.exe" to add generic credentials.
 6    As an example, this can be used before connecting to an RDP session via command line interface.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-03
11modified: 2024-03-05
12tags:
13    - attack.credential-access
14    - attack.t1003.005
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\cmdkey.exe'
21        - OriginalFileName: 'cmdkey.exe'
22    selection_cli_generic:
23        CommandLine|contains|windash: ' -g' # Generic
24    selection_cli_user:
25        CommandLine|contains|windash: ' -u' # User
26    selection_cli_password:
27        CommandLine|contains|windash: ' -p' # Password
28    condition: all of selection_*
29falsepositives:
30    - Legitimate usage for administration purposes
31level: medium
32regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
33simulation:
34    - type: atomic-red-team
35      name: RDP to DomainController
36      technique: T1021.001
37      atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e

References

Related rules

to-top