Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Enumerate Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Mon Dec 20Updated Sun Dec 25603c6630-5225-49c1-8047-26c964553e0ewindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - vaultcmd
            - '/listcreds:'
    selection_option:
        ScriptBlockText|contains:
            - 'Windows Credentials'
            - 'Web Credentials'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
603c6630-5225-49c1-8047-26c964553e0e
Status
test
Level
medium
Type
Detection
Created
Mon Dec 20
Modified
Sun Dec 25
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
Raw Tags
attack.credential-accessattack.t1555
View on GitHub