Adding, Listing and Removing Credentials via Cmdkey CommandLine Ultility
Detects the use of cmdkey to add, remove, or list credentials.
Sigma rule (View on GitHub)
1title: Adding, Listing and Removing Credentials via Cmdkey CommandLine Ultility
2id: a5661068-c85f-4ee1-bc13-6b753bd2c7b7
3description: Detects the use of cmdkey to add, remove, or list credentials.
4references:
5 - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise
6 - https://ss64.com/nt/cmdkey.html#:~:text=CMDKEY.exe%20(Windows%202003%2B),and%20password%20to%20the%20list.
7date: 2023/10/27
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection:
13 Image|endswith:
14 - '\cmdkey.exe'
15 CommandLine|windash|contains:
16 - ' -d'
17 - ' -a'
18 - ' -l'
19 condition: selection
20falsepositives:
21 - Admins are using cmdkey.exe for legitimate purposes.
22status: experimental
23level: low
24tags:
25 - attack.credential_access
26 - attack.t1003.005
References
-
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More
Read More -
CMDKEY.exe (Windows 2003+) Create, list or delete stored user names, passwords or credentials. Syntax cmdkey [{/add:TargetName|/generic:TargetName}] {/smartcard|/user:UserName [/pass:Password]} [/d...
Read More
Related rules
- Cred Dump Tools Dropped Files
- HackTool - Mimikatz Execution
- Credential Dumping Tools Service Execution - System
- Credential Dumping Tools Service Execution - Security
- HackTool - Credential Dumping Tools Named Pipe Created