Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-10 18:01:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

PasswordVault Browser Cred extraction rule

Browse Source
This commit is contained in:
@
2020-11-24 12:42:31 -06:00
parent eb3dec64e9
commit a428941d64
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml
+17
View File
@@ -0,0 +1,17 @@
title: Edge or IE Credential Extraction with PowerShell
description: Detects the extraction of Edge or Internet Explorer PasswordVault credentials with PowerShell.
author: keyboardcrunch
date: 24/11/2020
modified:
mitre:
tactic: Credential Access
technique: T1555
subtechnique: 003
operating_system: windows
query: SrcProcCmdScript ContainsCIS "Windows.Security.Credentials.PasswordVault" OR SrcProcCmdScript ContainsCIS "RetrievePassword"
false_positives:
-
tags:
-
references:
- https://github.com/HanseSecure/credgrap_ie_edge