Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Attackers may abuse the credwiz tool to export stored accounts.
Attacker's Goals
An attacker may attempt to gain higher privileges.
Investigative actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr functionStored credentials exported using credwiz.exe over RDP
Stored credentials exported using credwiz.exe with a built-in Windows tool