feat(rules): Suspicious Vault client DLL load

rabbitstack · rabbitstack · commit c76acf28682a · 2025-04-11T18:12:58.000+02:00
Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials.
diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml
@@ -0,0 +1,59 @@
+name: Suspicious Vault client DLL load
+id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
+version: 1.0.0
+description: |
+  Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
+  by the Credential Vault Client Library to enumerate or harvest saved credentials.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1555
+  technique.name: Credentials from Password Stores
+  technique.ref: https://attack.mitre.org/techniques/T1555/
+  subtechnique.id: T1555.004
+  subtechnique.name: Windows Credential Manager
+  subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
+
+references:
+  - https://redcanary.com/blog/incident-response/active-breach-evading-defenses/
+  - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+
+condition: >
+  sequence
+  maxspan 2m
+    |spawn_process and ps.exe != '' 
+      and 
+      not 
+      (
+        ps.child.exe imatches 
+          (
+            '?:\\Windows\\System32\\MDMAppInstaller.exe',
+            '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
+            '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
+            '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+            '?:\\Program Files\\*.exe', 
+            '?:\\Program Files (x86)\\*.exe',
+            '?:\\Windows\\winsxs\\*\\TiWorker.exe'
+          )
+          or
+        (ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule'))
+          or
+        (ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe')
+          or
+        (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe'))
+          or
+        (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'wusvcs', '-p', '-s', 'WaaSMedicSvc'))
+          or
+        (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'netsvcs', '-p', '-s', 'TokenBroker'))
+          or
+        (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args not in ('-ServerName:BackgroundTaskHost.WebAccountProvider'))
+      )
+    | by ps.child.uuid
+    |load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid
+
+output: >
+  Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting
+severity: high
+
+min-engine-version: 2.4.0
