LoFP LoFP / legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).

Techniques

Sample rules

Credential Manager Access By Uncommon Application

Description

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz “dpapi::cred” function

Detection logic

condition: selection and not 1 of filter_*
filter_system_folders:
  Image|contains:
  - :\Program Files\
  - :\Program Files (x86)\
  - :\Windows\system32\
  - :\Windows\SysWOW64\
selection:
  FileName|contains:
  - \AppData\Local\Microsoft\Credentials\
  - \AppData\Roaming\Microsoft\Credentials\
  - \AppData\Local\Microsoft\Vault\
  - \ProgramData\Microsoft\Vault\