From 619c7d57fc8fdf3d33327688900e93de44171892 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 23 Oct 2020 15:05:20 -0500
Subject: [PATCH] T1555.003 Modified AccessChk

---
 Tactics/CredentialAccess.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Tactics/CredentialAccess.md b/Tactics/CredentialAccess.md
index 34e2b10..686e825 100644
--- a/Tactics/CredentialAccess.md
+++ b/Tactics/CredentialAccess.md
@@ -23,6 +23,13 @@ TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern pa
 ### T1555.003 Credentials from Web Browsers
 Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md)
 
+#### Test #1 - Modified SysInternals AccessChk Chrome password collector
+
+To focus on detection, we're looking for AccessChk.exe where the DisplayName does not match that of the original. There's 4X as many Cross_Process objects with this query but none detect the collection of the Chrome password db.
+
+`
+TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective permissions for securable objects"
+`
 
 ### T1552.002 Credentials in Registry
 Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md)