refactor(rules): Improve Credential discovery via VaultCmd tool rule

Make the rule more resistant to evasion by checking
the original process executable name and also performing
case-insensitive match on the command line.

Author: rabbitstack

rules/credential_access_credential_discovery_via_vaultcmd.yml

@@ -1,9 +1,10 @@
-name: Credential discovery via VaultCmd.exe
+name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.0.1
+version: 1.1.0
 description: |
-  Detects the usage of the VaultCmd tool to list Windows Credentials.
-  VaultCmd creates, displays and deletes stored credentials.
+  Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
+  displays and deletes stored credentials. An adversary may abuse this to list or dump 
+  credentials stored in the Credential Manager.
 labels:
   tactic.id: TA0006
   tactic.name: Credential Access
@@ -16,12 +17,10 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process and ps.child.name ~= 'VaultCmd.exe'
+  spawn_process and (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe')
     and
-  ps.child.args in
-    (
-      '"/listcreds:Windows Credentials"',
-      '"/listcreds:Web Credentials"'
-    )
+  ps.child.cmdline imatches '*/list*'
+
+severity: medium
 
 min-engine-version: 2.0.0