DeviceCredentialDeployment Execution

Original Source: [Sigma source]

Title: DeviceCredentialDeployment Execution
Status: test
Description:Detects the execution of DeviceCredentialDeployment to hide a process from view
References:
-https://github.com/LOLBAS-Project/LOLBAS/pull/147
Author: Nasreddine Bencherchali (Nextron Systems)
Date: 2022-08-19
modified:None
Tags:

-'attack.defense-evasion'
-'attack.t1218'

Logsource:

category: process_creation
product: windows

Detection:
selection:
Image|endswith: '\DeviceCredentialDeployment.exe'
condition:selection
Falsepositives:
-Unlikely
Level: medium

Sign Up to Personalize and Manage Your Detection

DeviceCredentialDeployment Execution