detection.wiki

Detection rules › Splunk

Windows Credentials Access via VaultCli Module

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1555.004 Credentials from Password Stores: Windows Credential Manager

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: search

search EventCode=7 ImageLoaded="*\\vaultcli.dll" process_path IN ("*:\\temp\\*", "*Recycle.bin*", "*\\PerfLogs\\*", "*\\Users\\Administrator\\Music\\*", "*\\Users\\Default\\*", "*\\Windows\\Media\\*", "*\\Windows\\servicing\\*", "*\\appdata\\local\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\windows\\fonts\\*", "*\\windows\\temp\\*", "\\Windows\\repair\\*")

Stage 2: fillnull

fillnull

Stage 3: stats

stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 7 corpus 35 (splunk 35)
ImageLoadedeq
  • "*\\vaultcli.dll"
process_pathin
  • "*:\\temp\\*"
  • "*Recycle.bin*"
  • "*\\PerfLogs\\*"
  • "*\\Users\\Administrator\\Music\\*"
  • "*\\Users\\Default\\*"
  • "*\\Windows\\Media\\*"
  • "*\\Windows\\servicing\\*"
  • "*\\appdata\\local\\temp\\*"
  • "*\\users\\public\\*"
  • "*\\windows\\debug\\*"
  • "*\\windows\\fonts\\*"
  • "*\\windows\\temp\\*"
  • "\\Windows\\repair\\*"

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.