Access To Windows Credential History File By Uncommon Application (7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2)

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Access To Windows Credential History File By Uncommon Application (7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2)	Sigma-Rules	1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	2