Detect Credentials from Password Stores in Google Chronicle
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Canonical reference
- https://attack.mitre.org/techniques/T1555/
YARA-L Detection Query
rule t1555_credentials_from_password_stores {
meta:
author = "Argus Detection Engineering"
description = "Detects execution of credential harvesting tools or commands targeting password stores (T1555)"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1555"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path,
`(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
or re.regex($e.target.process.command_line,
`(?i)(cmdkey\s+/list|vaultcmd\s+/listcreds|security\s+dump-keychain|security\s+find-generic-password|security\s+find-internet-password|rundll32.*keymgr\.dll|CryptUnprotectData|CredEnumerateA|CredEnumerateW|SecKeychainFindInternetPassword|dpapi::cred|vault::list|vault::cred)`)
or re.regex($e.principal.process.file.full_path,
`(?i)(mimikatz|lazagne|credentialfileview|vaultpasswordview|netpass\.exe|keethief|dumperts|browserpassview|webbrowserpassview|mailpassview|chromiumpassworddecryptor|creddump)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting password store credential harvesting via PROCESS_LAUNCH UDM events. Matches on the target process full path and command line using regex for known tool names and credential enumeration API calls/CLI patterns. Also checks parent process path to catch child processes spawned by known tools. Uses UDM fields principal.process (parent) and target.process (spawned process).
Data Sources
Required Tables
False Positives & Tuning
- Privileged Access Workstation (PAW) credential vault agents that legitimately call CredEnumerateW during session setup for just-in-time access workflows.
- macOS MDM enrollment processes that use `security find-internet-password` to retrieve proxy credentials from keychain during device provisioning.
- SIEM/SOAR integration agents (Splunk SOAR, Palo Alto XSOAR) that spawn credential retrieval subprocesses when connecting to managed password stores.
Other platforms for T1555
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Windows Credential Manager with cmdkey
Expected signal: Sysmon Event ID 1: Process Create with Image=cmdkey.exe, CommandLine='cmdkey /list'. Security Event ID 4688 with same details if command line auditing is enabled.
- Test 2Enumerate Windows Vault with vaultcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=vaultcmd.exe, CommandLine containing '/listcreds'. Security Event ID 4688 with command line details.
- Test 3Dump macOS Keychain credentials
Expected signal: macOS Unified Log: process creation for /usr/bin/security with arguments 'dump-keychain -d'. Endpoint Security Framework (ESF) events for Keychain access. EDR telemetry showing security binary execution with dump-keychain argument.
Unlock Pro Content
Get the full detection package for T1555 including response playbook, investigation guide, and atomic red team tests.