From b987dc2508e2ef07a62089861ad49a0fa16e4be5 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 11 Apr 2025 18:16:52 +0200 Subject: [PATCH] feat(rules): Suspicious Vault client DLL load Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials. --- ...ccess_suspicious_vault_client_dll_load.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/credential_access_suspicious_vault_client_dll_load.yml diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml new file mode 100644 index 000000000..4c7d9e25c --- /dev/null +++ b/rules/credential_access_suspicious_vault_client_dll_load.yml @@ -0,0 +1,58 @@ +name: Suspicious Vault client DLL load +id: 64af2e2e-2309-4079-9c0f-985f1dd930f5 +version: 1.0.0 +description: | + Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided + by the Credential Vault Client Library to enumerate or harvest saved credentials. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.id: T1555 + technique.name: Credentials from Password Stores + technique.ref: https://attack.mitre.org/techniques/T1555/ + subtechnique.id: T1555.004 + subtechnique.name: Windows Credential Manager + subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ +references: + - https://redcanary.com/blog/incident-response/active-breach-evading-defenses/ + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + +condition: > + sequence + maxspan 2m + |spawn_process and ps.exe != '' + and + not + ( + ps.child.exe imatches + ( + '?:\\Windows\\System32\\MDMAppInstaller.exe', + '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\winsxs\\*\\TiWorker.exe' + ) + or + (ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) + or + (ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') + or + (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) + or + (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'wusvcs', '-p', '-s', 'WaaSMedicSvc')) + or + (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'netsvcs', '-p', '-s', 'TokenBroker')) + or + (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args not in ('-ServerName:BackgroundTaskHost.WebAccountProvider')) + ) + | by ps.child.uuid + |load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid + +output: > + Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting +severity: high + +min-engine-version: 2.4.0