DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view
Sigma rule (View on GitHub)
1title: DeviceCredentialDeployment Execution
2id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
3status: test
4description: Detects the execution of DeviceCredentialDeployment to hide a process from view
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/pull/147
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-19
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\DeviceCredentialDeployment.exe'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: medium
References
-
New lolbin for hiding a console window (e.g. cmd.exe). First one that doesn't require PowerShell or VBS/JScript to my knowledge: DeviceCredentialDeployment.exe
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE