Cmdkey (da252f67-2d4e-419f-b493-d4a1d024a01c)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe
Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| HEXANE (eecf7289-294f-48dd-a747-7705820f4735) | Tidal Groups | Cmdkey (da252f67-2d4e-419f-b493-d4a1d024a01c) | Tidal Software | 1 |