Skip to content

feat(rules): New Suspicious Vault client DLL load rule #489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rabbitstack merged 1 commit into from
Apr 16, 2025
Merged

feat(rules): New Suspicious Vault client DLL load rule #489

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions rules/credential_access_suspicious_vault_client_dll_load.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Suspicious Vault client DLL load
id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
version: 1.0.0
description: |
Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided
by the Credential Vault Client Library to enumerate or harvest saved credentials.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1555
technique.name: Credentials from Password Stores
technique.ref: https://attack.mitre.org/techniques/T1555/
subtechnique.id: T1555.004
subtechnique.name: Windows Credential Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
references:
- https://redcanary.com/blog/incident-response/active-breach-evading-defenses/
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

condition: >
sequence
maxspan 2m
|spawn_process and ps.exe != ''
and
not
(
ps.child.exe imatches
(
'?:\\Windows\\System32\\MDMAppInstaller.exe',
'?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe',
'?:\\Windows\\winsxs\\*\\TiWorker.exe'
)
or
(ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule'))
or
(ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe')
or
(ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe'))
or
(ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'wusvcs', '-p', '-s', 'WaaSMedicSvc'))
or
(ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'netsvcs', '-p', '-s', 'TokenBroker'))
or
(ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args not in ('-ServerName:BackgroundTaskHost.WebAccountProvider'))
)
| by ps.child.uuid
|load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid

output: >
Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting
severity: high

min-engine-version: 2.4.0