New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Sigma rule (View on GitHub)
1title: New Generic Credentials Added Via Cmdkey.EXE
2id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
3status: test
4description: |
5 Detects usage of "cmdkey.exe" to add generic credentials.
6 As an example, this can be used before connecting to an RDP session via command line interface.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
9author: frack113, Nasreddine Bencherchali (Nextron Systems)
10date: 2023/02/03
11modified: 2024/03/05
12tags:
13 - attack.credential_access
14 - attack.t1003.005
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\cmdkey.exe'
21 - OriginalFileName: 'cmdkey.exe'
22 selection_cli_generic:
23 CommandLine|contains|windash: ' -g' # Generic
24 selection_cli_user:
25 CommandLine|contains|windash: ' -u' # User
26 selection_cli_password:
27 CommandLine|contains|windash: ' -p' # Password
28 condition: all of selection_*
29falsepositives:
30 - Legitimate usage for administration purposes
31level: medium
References
Related rules
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Dumping of Sensitive Hives Via Reg.EXE
- Adding, Listing and Removing Credentials via Cmdkey CommandLine Ultility
- Cred Dump Tools Dropped Files
- HackTool - Mimikatz Execution