Suspicious Process Loading Credential Vault DLL¶
Identifies an unexpected process loading the Windows Credential Vault DLL in preparation of enumerating/stealing a user’s saved credentials.
| id: | 679560ee-0ea0-4358-bf83-e4c478d9d1c8 |
|---|---|
| categories: | detect |
| confidence: | high |
| os: | windows |
| created: | 8/16/2019 |
| updated: | 8/16/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1003 Credential Dumping |
Query¶
image_load where process_name != "vaultcmd.exe" and
image_name == "vaultcli.dll"