Uncommon applications accessing the Windows Credential Manager may indicate an adversary attempting to exfiltrate stored credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities early.
Detection Rule
title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\AppData\Local\Microsoft\Credentials\'
- '\AppData\Roaming\Microsoft\Credentials\'
- '\AppData\Local\Microsoft\Vault\'
- '\ProgramData\Microsoft\Vault\'
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium
imFileEvent
| where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Windows\\system32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\")))Scenario: A legitimate system update or patching tool (e.g., Microsoft Update or Windows Server Update Services) accesses the Credential Manager during a scheduled maintenance task.
Filter/Exclusion: Check the process name against known update tools and exclude processes from the C:\Windows\ or C:\Windows\System32\ directories during scheduled maintenance windows.
Scenario: A third-party application used for secure credential storage (e.g., Bitwarden, 1Password) accesses the Credential Manager to sync credentials.
Filter/Exclusion: Exclude processes from known secure credential managers by checking the process name and signing certificate, or by whitelisting the application’s executable path.
Scenario: A system administrator uses PowerShell or a script to access the Credential Manager for troubleshooting or configuration purposes.
Filter/Exclusion: Exclude processes with a parent process that is a known administrative tool (e.g., powershell.exe with parent explorer.exe or cmd.exe) and filter by user context (e.g., domain admin or local admin).
Scenario: A scheduled job (e.g., via Task Scheduler) runs a script that temporarily accesses the Credential Manager to retrieve credentials for a service or application.
Filter/Exclusion: Exclude processes that are part of a known scheduled job by checking the task name, user context, and process parent. Use a filter like Process.parent.name == "schtasks.exe" or similar.
Scenario: A legitimate security tool (e.g., Microsoft Defender ATP, CrowdStrike Falcon) accesses the Credential Manager as part of its security scanning or forensic analysis.
Filter/Exclusion: Exclude processes from known security tools by checking the process name and digital signature, or by using a whitelist of trusted security software.