New Generic Credentials Added Via Cmdkey.EXE

Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.

Sigma rule (View on GitHub)

 1title: New Generic Credentials Added Via Cmdkey.EXE
 2id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
 3status: test
 4description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/02/03
 9tags:
10    - attack.credential_access
11    - attack.t1003.005
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\cmdkey.exe'
18        - OriginalFileName: 'cmdkey.exe'
19    selection_cli:
20        CommandLine|contains|all:
21            - ' /g'
22            - ' /u'
23            - ' /p'
24    condition: all of selection*
25falsepositives:
26    - Legitimate usage for administration purposes
27level: medium

References

Related rules

to-top