New Virtual Smart Card Created Via TpmVscMgr.EXE

calendar Aug 12, 2024 · attack.execution  ·
Share on: linkedin copy

Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.

Sigma rule (View on GitHub)

 1title: New Virtual Smart Card Created Via TpmVscMgr.EXE
 2id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
 3status: test
 4description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
 5references:
 6    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-15
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        Image|endswith: '\tpmvscmgr.exe'
17        OriginalFileName: 'TpmVscMgr.exe'
18    selection_cli:
19        CommandLine|contains: 'create'
20    condition: all of selection_*
21falsepositives:
22    - Legitimate usage by an administrator
23level: medium

References

  • Tpmvscmgr

    Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.


    Read More

Related rules

to-top