Suspicious Process Loading Credential Vault DLL¶

Identifies an unexpected process loading the Windows Credential Vault DLL in preparation of enumerating/stealing a user’s saved credentials.

id:	679560ee-0ea0-4358-bf83-e4c478d9d1c8
categories:	detect
confidence:	high
os:	windows
created:	8/16/2019
updated:	8/16/2019

MITRE ATT&CK™ Mapping¶

tactics:	Credential Access
techniques:	T1003 Credential Dumping

Query¶

image_load where process_name != "vaultcmd.exe" and
  image_name == "vaultcli.dll"

Contributors¶

David French

References¶

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-8de93338c16

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.