Credentials from Password Stores T1555

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Events covered

13 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 44 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (39 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine14contains 10, in 3, regex_match 2, wildcard 1 cp , mi , mv , "C:\Program Files\Google\Chrome\Application\chrome.exe"..., "C:\Program Files\Google\Chrome\Application\chrome.exe"...
OriginalFileName13eq 12, ends_with 1cmdkey.exe, vaultcmd.exe, browsercore.exe, esentutl.exe, msbuild.exe
process_name11eq 10, ends_with 1, in 1, starts_with 1cmdkey.exe, *:\\temp\\*, *\\appdata\\local\\temp\\*, *\\perflogs\\*, \mpcopyaccelerator.exe
Image7ends_with 7\bash.exe, \cmd.exe, \cscript.exe, \esentutl.exe, \robocopy.exe
EventID6eq 64663, 4103, 4104, 4656, 4688
event.type6eq 6start
RelativeTargetName5contains 4, ends_with 2, eq 1, regex_match 1PROGRAM FILES\UltraVNC\ultravnc.ini, PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini, PROGRAMFILES\UltraVNC\ultravnc.ini, Users\\.*\\AppData\\.*, Users\\.*\\Desktop.*
ScriptBlockText5contains 5, match 1-destination, /listcreds:, [system.runtime.interopservices.runtimeenvironment]::getr..., \google\chrome\user data\default\login data, \google\chrome\user data\default\login data for account
ShareName5wildcard 5\\*\C$
process.args4eq 3, wildcard 2, match 1, starts_with 1--remote-debugging-port=922?, --window-position=-*,-*, /list, Invoke-DbaQuery, Invoke-SqlExecute
ObjectName3contains 3\\appdata\\roaming\\mozilla\\firefox\\profiles, \\google\\chrome\\user data\\default, \user data\default\login data, \user data\default\network\cookies, \user data\local state
TargetFilename3contains 3, ends_with 1\\temp\\, .cer, .key, .pfx
file_name3in 2, ends_with 1\cookies.sqlite, \places.sqlite, cookie*, local state, login data
Channel2eq 2, in 2
EventData2contains 2-encodedcommand, powershell.exe, powershell_ise.exe, retrieve, windows.security.credentials.passwordvault

Top indicator values (309 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
6241
ShareNamewildcard
\\*\C$
57
EventIDeq
4663
334
OriginalFileNameeq
cmdkey.exe
35
OriginalFileNameeq
vaultcmd.exe
22
process_nameeq
cmdkey.exe
34
Imageends_with
\rundll32.exe
2103
Resourcestarts_with
http
22
ScriptBlockTextcontains
windows.security.credentials.passwordvault
22
TargetFilenamecontains
\\temp\\
24
AccessMaskeq
0x1
12
CommandLinecontains
cp
18
CommandLinecontains
mi
13
CommandLinecontains
mv
14
CommandLinecontains
-encodedcommand
13
CommandLinecontains
/delete
19
CommandLinecontains
/generic
1
CommandLinecontains
/list
1
CommandLinecontains
/listcreds:
1
CommandLinecontains
\amigo\user data
1
CommandLinecontains
\bravesoftware\brave-browser\user data
1
CommandLinecontains
\centbrowser\user data
1
CommandLinecontains
\chromium\user data
1
CommandLinecontains
\chromiumviewer\
1
CommandLinecontains
\coccoc\browser\user data
1
CommandLinecontains
\comodo\dragon\user data
1
CommandLinecontains
\elements browser\user data
1
CommandLinecontains
\epic privacy browser\user data
1
CommandLinecontains
\google\chrome beta\user data
1
CommandLinecontains
\google\chrome sxs\user data
1

Exclusions (35 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_namein
*\\explorer.exe
2
process_namein
*sql*
2
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
LogonIdeq
0x3e7
1
ParentImagecontains
gc_service.exe
1
ParentImagecontains
gc_worker.exe
1
ParentImageeq
c:\windows\system32\compattelrunner.exe
1
ParentImagewildcard
c:\program files (x86)\*.exe
1
ParentImagewildcard
c:\program files\*.exe
1
ParentImagewildcard
c:\windows\explorer.exe
1
ParentImagewildcard
c:\windows\system32\rdpinit.exe
1
ParentImagewildcard
c:\windows\system32\runtimebroker.exe
1
ParentImagewildcard
c:\windows\system32\secocl64.exe
1
ParentImagewildcard
c:\windows\system32\sihost.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 22 rules

Elastic 7 rules

Splunk 12 rules

Kusto 2 rules

YARA-L 1 rule