Credential Manager Access By Uncommon Application (407aecb1-e762-4acf-8c7b-d087bcff3bb6)
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Credential Manager Access By Uncommon Application (407aecb1-e762-4acf-8c7b-d087bcff3bb6) | Sigma-Rules | OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | 1 |