credential_access_suspicious_access_to_windows_vault_files.yml

name: Suspicious access to Windows Vault files
id: 44400221-f98d-424a-9388-497c75b18924
version: 1.0.1
description: |
  Identifies attempts from adversaries to acquire credentials from Vault files.
labels:
  tactic.id: TA0006
  tactic.name: Credential Access
  tactic.ref: https://attack.mitre.org/tactics/TA0006/
  technique.id: T1555
  technique.name: Credentials from Password Stores
  technique.ref: https://attack.mitre.org/techniques/T1555/
  subtechnique.id: T1555.004
  subtechnique.name: Windows Credential Manager
  subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/

condition: >
  open_file
    and
  file.path imatches
    (
      '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*',
      '?:\\ProgramData\\Microsoft\\Vault\\*'
    )
    and
  file.extension in vault_extensions
    and
    not
  ps.exe imatches
    (
      '?:\\Program Files\\*',
      '?:\\Program Files(x86)\\*',
      '?:\\Windows\\System32\\lsass.exe',
      '?:\\Windows\\System32\\svchost.exe'
    )

min-engine-version: 2.4.0