Detection rules › Elastic
Multiple Vault Web Credentials Read
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping, T1555 Credentials from Password Stores, T1555.004 Credentials from Password Stores: Windows Credential Manager |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5382 | Vault credentials were read. |
Stages and Predicates
Stage 1: eql:any
not winlog.event_data.Resource:"http://localhost/" and not winlog.event_data.SubjectLogonId:0x3e7 and winlog.event_data.Resource:"http*" and winlog.event_data.SchemaFriendlyName:"Windows Web Password Credential"Stage 2: eql:any
not winlog.event_data.Resource:"http://localhost/" and not winlog.event_data.SubjectLogonId:0x3e7 and winlog.event_data.Resource:"http*" and winlog.event_data.SchemaFriendlyName:"Windows Web Password Credential"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | LogonId | eq | 0x3e7 |
| 2 | Resource | eq | http://localhost/ |
| 1 | LogonId | eq | 0x3e7 |
| 2 | Resource | eq | http://localhost/ |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.Resource | wildcard |
|
winlog.event_data.SchemaFriendlyName | wildcard |
|