nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/credential_access_regback_sam_security_hives.toml

@@ -0,0 +1,101 @@
+[metadata]
+creation_date = "2024/07/01"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/02/14"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder."
+from = "now-9m"
+index = ["logs-endpoint.events.file-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Sensitive Registry Hive Access via RegBack"
+note = """## Triage and analysis
+
+### Investigating Sensitive Registry Hive Access via RegBack
+
+Collecting registry hives is a common way to access credential information as some hives store credential material.
+
+For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).
+
+Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.
+
+#### Possible investigation steps
+
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate if the credential material was exfiltrated or processed locally by other tools.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.
+
+### False positive analysis
+
+- Administrators can export registry hives for backup purposes. Check whether the user is legitamitely performing this kind of activity.
+
+### Related rules
+
+- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Reimage the host operating system and restore compromised files to clean versions.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+risk_score = 73
+rule_id = "63e381a6-0ffe-4afb-9a26-72a59ad16d7b"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and 
+ event.action == "open" and event.outcome == "success" and process.executable != null and 
+ file.path :
+      ("?:\\Windows\\System32\\config\\RegBack\\SAM",
+       "?:\\Windows\\System32\\config\\RegBack\\SECURITY",
+       "?:\\Windows\\System32\\config\\RegBack\\SYSTEM") and 
+ not (
+    user.id == "S-1-5-18" and process.executable : (
+        "?:\\Windows\\system32\\taskhostw.exe", "?:\\Windows\\system32\\taskhost.exe"
+    ))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.004"
+name = "LSA Secrets"
+reference = "https://attack.mitre.org/techniques/T1003/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

nldcsc_elastic_rules/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml

@@ -0,0 +1,130 @@
+[metadata]
+creation_date = "2022/04/30"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
+An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Local NTLM Relay via HTTP"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Local NTLM Relay via HTTP
+
+NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks.
+
+### Possible investigation steps
+
+- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity.
+- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc".
+- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity.
+- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited.
+- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
+- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner.
+
+### False positive analysis
+
+- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities.
+- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule.
+- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts.
+- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening.
+- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
+- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity.
+- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity.
+- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access.
+- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities.
+- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
+references = [
+    "https://github.com/med0x2e/NTLMRelay2Self",
+    "https://github.com/topotam/PetitPotam",
+    "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
+]
+risk_score = 73
+rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "rundll32.exe" and
+
+  /* Rundll32 WbeDav Client  */
+  process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
+
+  /* Access to named pipe via http */
+  process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1212"
+name = "Exploitation for Credential Access"
+reference = "https://attack.mitre.org/techniques/T1212/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.011"
+name = "Rundll32"
+reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -0,0 +1,119 @@
+[metadata]
+creation_date = "2022/03/01"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2024/05/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM)
+registry hive in preparation for credential access and privileges elevation.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.file-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote Credential Access via Registry"
+note = """## Triage and analysis
+
+### Investigating Potential Remote Credential Access via Registry
+
+Dumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.
+
+Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.
+
+#### Possible investigation steps
+
+- Identify the specifics of the involved assets, such as their role, criticality, and associated users.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Determine the privileges of the compromised accounts.
+- Investigate other alerts associated with the user/source host during the past 48 hours.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
+
+### Related rules
+
+- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine if other hosts were compromised.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Reimage the host operating system or restore the compromised files to clean versions.
+- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
+    "https://www.elastic.co/security-labs/detect-credential-access",
+]
+risk_score = 73
+rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
+setup = """## Setup
+
+This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Lateral Movement",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and
+  event.action == "creation" and process.name : "svchost.exe" and
+  file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and
+  file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -0,0 +1,110 @@
+[metadata]
+creation_date = "2022/08/30"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2025/11/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
+applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
+saved usernames and passwords. This may also be performed in preparation of lateral movement.
+"""
+from = "now-9m"
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Multiple Vault Web Credentials Read"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Multiple Vault Web Credentials Read
+
+Windows Credential Manager stores credentials for web logins, apps, and networks, facilitating seamless user access. Adversaries exploit this by extracting stored credentials, potentially aiding lateral movement within networks. The detection rule identifies suspicious activity by flagging consecutive credential reads from the same process, excluding benign actions like localhost access, thus highlighting potential credential dumping attempts.
+
+### Possible investigation steps
+
+- Review the process associated with the flagged PID to determine if it is a legitimate application or potentially malicious. Check for known software or unusual executables.
+- Investigate the source and destination of the web credentials read by examining the winlog.event_data.Resource field to identify any suspicious or unexpected URLs.
+- Check the winlog.computer_name to identify the affected system and assess whether it is a high-value target or has been involved in previous suspicious activities.
+- Analyze the timeline of events around the alert to identify any preceding or subsequent suspicious activities that may indicate a broader attack pattern.
+- Verify the user context by examining the winlog.event_data.SubjectLogonId to ensure the activity was not performed by a privileged or administrative account without proper authorization.
+- Cross-reference the event with other security logs or alerts to identify any correlated activities that might suggest a coordinated attack or compromise.
+
+### False positive analysis
+
+- Localhost access is a common false positive since the rule excludes localhost reads. Ensure that any legitimate applications accessing credentials via localhost are properly whitelisted to prevent unnecessary alerts.
+- Automated scripts or applications that frequently access web credentials for legitimate purposes may trigger the rule. Identify these processes and create exceptions for them to reduce noise.
+- System maintenance or updates might involve credential reads that are benign. Coordinate with IT teams to schedule these activities and temporarily adjust the rule sensitivity or add exceptions during these periods.
+- Security tools or monitoring software that perform regular checks on credential integrity could be flagged. Verify these tools and add them to an exception list if they are part of the organization's security infrastructure.
+- User behavior such as frequent password changes or credential updates might cause alerts. Educate users on the impact of their actions and consider adjusting the rule to accommodate expected behavior patterns.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent potential lateral movement by the adversary.
+- Terminate the suspicious process identified by the process ID (pid) involved in the credential reads to stop further credential access.
+- Conduct a thorough review of the affected system for any additional signs of compromise, such as unauthorized user accounts or scheduled tasks.
+- Change passwords for any accounts that may have been exposed, focusing on those stored in the Windows Credential Manager.
+- Implement network segmentation to limit access to critical systems and data, reducing the risk of lateral movement.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
+- Enhance monitoring and logging on the affected system and similar endpoints to detect any future attempts at credential dumping or unauthorized access."""
+references = [
+    "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
+    "https://www.elastic.co/security-labs/detect-credential-access",
+]
+risk_score = 47
+rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Windows Security Event Logs",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+
+query = '''
+sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
+
+ /* 2 consecutive vault reads from same pid for web creds */
+
+ [any where host.os.type == "windows" and event.code == "5382" and
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7" and
+  not winlog.event_data.Resource : "http://localhost/"]
+
+ [any where host.os.type == "windows" and event.code == "5382" and
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7" and
+  not winlog.event_data.Resource : "http://localhost/"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.004"
+name = "Windows Credential Manager"
+reference = "https://attack.mitre.org/techniques/T1555/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vaultcmd.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2021/01/19"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
+applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
+saved usernames and passwords. This may also be performed in preparation of lateral movement.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Searching for Saved Credentials via VaultCmd"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Searching for Saved Credentials via VaultCmd
+
+Windows Credential Manager stores credentials for websites, applications, and networks. Adversaries exploit this by using VaultCmd to list or extract these credentials, aiding in lateral movement. The detection rule identifies such abuse by monitoring the execution of VaultCmd with specific arguments, flagging potential credential access attempts. This helps in early detection of unauthorized credential access activities.
+
+### Possible investigation steps
+
+- Review the process execution details to confirm the presence of vaultcmd.exe with the /list* argument, as this indicates an attempt to list saved credentials.
+- Check the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.
+- Investigate the parent process of vaultcmd.exe to understand how it was initiated and whether it was triggered by a legitimate application or script.
+- Examine recent login activity and network connections from the host to identify any signs of lateral movement or unauthorized access attempts.
+- Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious behavior.
+- Review endpoint security logs from tools like Microsoft Defender for Endpoint or Crowdstrike for additional context or corroborating evidence of credential access attempts.
+
+### False positive analysis
+
+- Routine administrative tasks using VaultCmd for legitimate credential management can trigger alerts. To manage this, create exceptions for known administrative accounts or scheduled tasks that regularly use VaultCmd with the /list argument.
+- Security software or system management tools that perform regular audits of stored credentials might also cause false positives. Identify these tools and exclude their processes from triggering the rule.
+- Automated scripts or backup processes that access Credential Manager for legitimate purposes may be flagged. Review these scripts and whitelist them if they are verified as non-threatening.
+- User-initiated credential management activities, such as listing credentials for personal use, can be mistaken for malicious behavior. Educate users on the implications of using VaultCmd and consider excluding specific user accounts if necessary.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent potential lateral movement and further credential access.
+- Terminate any suspicious processes associated with VaultCmd.exe to halt unauthorized credential dumping activities.
+- Conduct a thorough review of the affected system's event logs and process execution history to identify any additional malicious activities or compromised accounts.
+- Reset passwords for any accounts that may have been exposed or accessed through the Credential Manager to mitigate unauthorized access.
+- Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools.
+- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach.
+- Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights."""
+references = [
+    "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+    "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
+    "https://www.elastic.co/security-labs/detect-credential-access",
+]
+risk_score = 47
+rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  (?process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
+  process.args:"/list*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.004"
+name = "Windows Credential Manager"
+reference = "https://attack.mitre.org/techniques/T1555/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+