Suspicious Process Loading Credential Vault DLL¶
Identifies an unexpected process loading the Windows Credential Vault DLL in preparation of enumerating/stealing a user’s saved credentials.
id: | 679560ee-0ea0-4358-bf83-e4c478d9d1c8 |
---|---|
categories: | detect |
confidence: | high |
os: | windows |
created: | 8/16/2019 |
updated: | 8/16/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1003 Credential Dumping |
Query¶
image_load where process_name != "vaultcmd.exe" and
image_name == "vaultcli.dll"