Uncommon applications accessing the Windows Credential History File may indicate an adversary attempting to steal credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities early.
Detection Rule
title: Access To Windows Credential History File By Uncommon Applications
id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
status: test
description: |
Detects file access requests to the Windows Credential History File by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
references:
- https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
- https://www.passcape.com/windows_password_recovery_dpapi_credhist
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|endswith: '\Microsoft\Protect\CREDHIST'
filter_main_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
# Increase level after false positives filters are good enough
level: medium
imFileEvent
| where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not(((TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Windows\\system32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\") or TargetFilePath =~ "C:\\Windows\\explorer.exe")))Scenario: Scheduled Job for Credential Synchronization
Description: A legitimate scheduled job runs a script that accesses the Credential History File as part of a synchronization process with a third-party identity management system.
Filter/Exclusion: Check for processes associated with known identity management tools (e.g., Microsoft Azure AD Connect, Okta, or Ping Identity) or filter by scheduled task names containing “sync” or “credential”.
Scenario: System File Integrity Check Using Windows Defender
Description: Windows Defender or another endpoint protection tool performs a file integrity check and accesses the Credential History File as part of its security scanning process.
Filter/Exclusion: Filter by process name (MsMpEng.exe, WindowsDefenderATP.exe) or check for file access events with the Read or Execute action that are part of a known security scan.
Scenario: Administrative Task to Review Credential History
Description: An administrator manually reviews the Credential History File using tools like PowerShell or Windows Event Viewer to investigate potential credential leaks.
Filter/Exclusion: Filter by user accounts with administrative privileges or check for access events initiated from known administrative tools (e.g., PowerShell.exe, eventvwr.exe).
Scenario: Use of Mimikatz for Validated Credential Dumping
Description: A red team or security team uses Mimikatz to dump credentials for legitimate forensic or security testing purposes.
Filter/Exclusion: Filter by process names associated with security testing tools (e.g., mimikatz.exe, sekurlsa.exe) or check for access events originating from a known security testing environment.
Scenario: Third-Party Application for Credential Management
Description: A third-party application (e.g., BitLocker recovery tool, Microsoft Intune, or Azure AD Connect) accesses the Credential History