detection.wiki

Microsoft-Windows-Security-Auditing › Event 5382

Event ID 5382 — Vault credentials were read.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Account Management → User Account Management
Collection Priority
Recommended (Yamato Security)
Opcode
Info

Description

Vault credentials were read.

Message #

Vault credentials were read.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user reads a stored vault credential.

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
SchemaFriendlyName UnicodeString
Schema GUID
Resource UnicodeString
Identity UnicodeString
PackageSid UnicodeString
Flags UInt32
ReturnCode UInt32
ProcessCreationTime FILETIME
ClientProcessId UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5382,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T22:28:52.690626+00:00",
    "event_record_id": 3184,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 888
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema",
    "Schema": "1D4350A3-330D-4AF9-B3FF-A927A45998AC",
    "Resource": "NGC Local Accoount Logon Vault Resource",
    "Identity": "010500000000000515000000F15DC676EF81AF629C157803E8030000",
    "PackageSid": "",
    "Flags": 0,
    "ReturnCode": 1168,
    "ProcessCreationTime": "2023-11-05T22:28:52.050339Z",
    "ClientProcessId": 4612
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Elastic # view in reference

  • Multiple Vault Web Credentials Read source medium: Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

References #