detection.wiki

ATT&CK coverage › Technique

Credentials from Password Stores T1555

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
Security-Auditing5382Vault credentials were read.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (9 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ScriptBlockText3match 3New-Object, Windows.Security.Credentials.PasswordVault, [System.Runtime.InteropServices.RuntimeEnvironment]::GetR..., Windows Credentials, Web Credentials
Image2ends_with 2PasswordDump.exe, \rundll32.exe, \wmic.exe, \pwsh.exe
Resource1starts_with 1http
SchemaFriendlyName1eq 1Windows Web Password Credential
TargetFilename1ends_with 1, match 1.cer, ntds_capi_, ntds_legacy_
OriginalFileName1ends_with 1PasswordDump.exe
Company1eq 1SecurityXploded
CommandLine1match 1WinPwn , WinPwn.exe, WinPwn.ps1
ParentImage1ends_with 1\Serv-U.exe

Top indicator values (48 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Resourcestarts_withhttp1
SchemaFriendlyNameeqWindows Web Password Credential1
TargetFilenamematchntds_capi_1
TargetFilenameends_with.cer12
TargetFilenamematchntds_legacy_1
TargetFilenameends_with.key12
TargetFilenamematchntds_unknown_1
TargetFilenameends_with.pfx1
TargetFilenameends_with.pvk1
ScriptBlockTextmatchWindows.Security.Credentials.PasswordVault1
ScriptBlockTextmatchGet-PasswordVaultCredentials1
ScriptBlockTextmatchMicrosoft.CSharp.CSharpCodeProvider1
ScriptBlockTextmatch[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())1
ScriptBlockTextmatchCollections.ArrayList1
ScriptBlockTextmatchSystem.CodeDom.Compiler.CompilerParameters1
ScriptBlockTextmatchGet-CredManCreds1
ScriptBlockTextmatchNew-Object16
ScriptBlockTextmatchWeb Credentials1
ScriptBlockTextmatchWindows Credentials1
ScriptBlockTextmatch/listcreds:1

Common exclusions (2 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
LogonIdeq0x3e71
Resourceeqhttp://localhost/1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 7 rules

Elastic 1 rule