Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Sigma rule (View on GitHub)
1title: Suspicious Key Manager Access
2id: a4694263-59a8-4608-a3a0-6f8d3a51664c
3status: test
4description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
5references:
6 - https://twitter.com/NinjaParanoid/status/1516442028963659777
7author: Florian Roth (Nextron Systems)
8date: 2022-04-21
9modified: 2023-02-09
10tags:
11 - attack.credential-access
12 - attack.t1555.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\rundll32.exe'
19 - OriginalFileName: 'RUNDLL32.EXE'
20 selection_cli:
21 CommandLine|contains|all:
22 - 'keymgr'
23 - 'KRShowKeyMgr'
24 condition: all of selection_*
25falsepositives:
26 - Administrative activity
27level: high
References
Related rules
- Access To Windows Credential History File By Uncommon Applications
- Access To Windows DPAPI Master Keys By Uncommon Applications
- Windows Credential Manager Access via VaultCmd
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript