Potential Credential Access via Trusted Developer Utility

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessTactic: Defense EvasionData Source: Elastic DefendData Source: SysmonLanguage: eql

Severity

high

Risk Score

73

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ OS Credential Dumping (T1003)(opens in a new tab or window)

↳ Credentials from Password Stores (T1555)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Trusted Developer Utilities Proxy Execution (T1127)(opens in a new tab or window)

False Positive Examples

The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-endpoint.events.process-*logs-endpoint.events.library-*logs-windows.sysmon_operational-*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query

sequence by process.entity_id
 [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
  (?dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))]