Detectionhightest

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Detects usage of cmdkey to look for cached credentials on the system

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 16Updated Tue Mar 0507f8bdc2-c9b3-472a-9817-5a670b872f53windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli:
        CommandLine|contains|windash: ' -l'
    condition: all of selection*

False Positives

Legitimate administrative tasks

References

Resolving title…

peew.pw

Resolving title…

technet.microsoft.com

Resolving title…

github.com

Testing & Validation

Simulations

atomic-red-teamT1003.005

View on ART

Cached Credential Dump via Cmdkey

GUID: 56506854-89d6-46a3-9804-b7fde90791f9

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.005 · Cached Domain Credentials

Rule Metadata

Rule ID

07f8bdc2-c9b3-472a-9817-5a670b872f53

Status

test

Level

high

Type

Detection

Created

Wed Jan 16

Modified

Tue Mar 05

Author

jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml

Raw Tags

attack.credential-accessattack.t1003.005

View on GitHub