From 9318bb61fe98dcd3110e9c5f849baead78731837 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 25 Apr 2025 17:47:05 +0200 Subject: [PATCH] refactor(rules): Improve Credential discovery via VaultCmd tool rule Make the rule more resistant to evasion by checking the original process executable name and also performing case-insensitive match on the command line. --- ...cess_credential_discovery_via_vaultcmd.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml index 3cc80dcf4..ccae2d63c 100644 --- a/rules/credential_access_credential_discovery_via_vaultcmd.yml +++ b/rules/credential_access_credential_discovery_via_vaultcmd.yml @@ -1,9 +1,10 @@ -name: Credential discovery via VaultCmd.exe +name: Credential discovery via VaultCmd tool id: 2ce607d3-5a14-4628-be8a-22bcde97dab5 -version: 1.0.1 +version: 1.1.0 description: | - Detects the usage of the VaultCmd tool to list Windows Credentials. - VaultCmd creates, displays and deletes stored credentials. + Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, + displays and deletes stored credentials. An adversary may abuse this to list or dump + credentials stored in the Credential Manager. labels: tactic.id: TA0006 tactic.name: Credential Access @@ -16,12 +17,10 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - spawn_process and ps.child.name ~= 'VaultCmd.exe' + spawn_process and (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') and - ps.child.args in - ( - '"/listcreds:Windows Credentials"', - '"/listcreds:Web Credentials"' - ) + ps.child.cmdline imatches '*/list*' + +severity: medium min-engine-version: 2.0.0