legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).

t1003
windows
sigma

Techniques

t1003

Sample rules

Credential Manager Access By Uncommon Applications

source: sigma
technicques:
- t1003

Description

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz “dpapi::cred” function

Detection logic

condition: selection and not 1 of filter_*
filter_system_folders:
  Image|startswith:
  - C:\Program Files\
  - C:\Program Files (x86)\
  - C:\Windows\system32\
  - C:\Windows\SysWOW64\
selection:
  FileName|contains:
  - \AppData\Local\Microsoft\Credentials\
  - \AppData\Roaming\Microsoft\Credentials\
  - \AppData\Local\Microsoft\Vault\
  - \ProgramData\Microsoft\Vault\