DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view
Sigma rule (View on GitHub)
1title: DeviceCredentialDeployment Execution
2id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
3status: test
4description: Detects the execution of DeviceCredentialDeployment to hide a process from view
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/pull/147
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/19
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\DeviceCredentialDeployment.exe'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: medium
References
-
New lolbin for hiding a console window (e.g. cmd.exe). First one that doesn't require PowerShell or VBS/JScript to my knowledge: DeviceCredentialDeployment.exe
Read More
Related rules
- Created Files by Microsoft Sync Center
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path
- Legitimate Application Dropped Archive