Steal credential

Hunt Hypothesis

The hypothesis is that an adversary is attempting to exfiltrate credentials from a system, which could be the first step in gaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft before it leads to broader compromise.

YARA Rule

rule cred_local {
    meta:
        author = "x0r"
        description = "Steal credential"
	version = "0.1"
    strings:
        $c1 = "LsaEnumerateLogonSessions"
        $c2 = "SamIConnect"
        $c3 = "SamIGetPrivateData"
        $c4 = "SamQueryInformationUse"
        $c5 = "CredEnumerateA"
        $c6 = "CredEnumerateW"
        $r1 = "software\\microsoft\\internet account manager" nocase
        $r2 = "software\\microsoft\\identitycrl\\creds" nocase
        $r3 = "Security\\Policy\\Secrets"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Job to Rotate Passwords
  Description: A system administrator uses a script (e.g., PowerShell or Ansible) to automate password rotation for user accounts.
  Filter/Exclusion: Check for user-agent or script name containing “password rotation” or “pam” (Pluggable Authentication Module). Exclude processes initiated by a known admin account with elevated privileges.

• Scenario: Admin Task to Export User Credentials for Reporting
  Description: An admin exports user credentials (e.g., via CSV or LDAP) for auditing or reporting purposes using tools like Active Directory Users and Computers or PowerShell.
  Filter/Exclusion: Filter by process name or command line containing “export”, “report”, or “audit”. Exclude activities originating from a trusted admin account during scheduled reporting windows.

• Scenario: Credential Dumping for Security Audit
  Description: A security team uses tools like mimikatz or PowerView to dump credentials as part of a security assessment or penetration test.
  Filter/Exclusion: Check for presence of mimikatz, PowerView, or Invoke-Mimikatz in the command line. Exclude activities that occur within a sanctioned security testing environment.

• Scenario: Automated Backup of Credential Store
  Description: A backup job runs to archive credentials stored in a vault (e.g., AWS Secrets Manager, Vault, or Azure Key Vault) using a scheduled task.
  Filter/Exclusion: Filter by process name or command line containing “backup”, “vault”, or “secrets”. Exclude activities that occur during regular backup windows and are initiated by a known backup service account.

• Scenario: User-Initiated Credential Reset via Help Desk Tool
  Description: A