Credential Manager Access By Uncommon Applications (407aecb1-e762-4acf-8c7b-d087bcff3bb6)
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | Credential Manager Access By Uncommon Applications (407aecb1-e762-4acf-8c7b-d087bcff3bb6) | Sigma-Rules | 1 |