Techniques
Sample rules
Credential Manager Access By Uncommon Application
- source: sigma
- technicques:
- t1003
Description
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz “dpapi::cred” function
Detection logic
condition: selection and not 1 of filter_*
filter_system_folders:
Image|contains:
- :\Program Files\
- :\Program Files (x86)\
- :\Windows\system32\
- :\Windows\SysWOW64\
selection:
FileName|contains:
- \AppData\Local\Microsoft\Credentials\
- \AppData\Roaming\Microsoft\Credentials\
- \AppData\Local\Microsoft\Vault\
- \ProgramData\Microsoft\Vault\