Credential Enumeration via Credential Vault CLI

Identifies use of the Credential Vault command line interface to enumerate a user’s saved credentials.

id:11968244-6db0-4e03-886c-e3983f9d9024 categories:detect confidence:high os:windows created:8/16/2019 updated:8/16/2019

MITRE ATT&CK™ Mapping

tactics:Credential Access techniques:T1003 Credential Dumping

Query

process where subtype.create and
  process_name == "vaultcmd.exe" and
  command_line == "* /list*"

Contributors

• David French

References

• https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
• https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-8de93338c16