Access to stored credentials

Test Guide


The aim of this test is to verify that your Security Operations Center (SOC) can effectively detect the “cmdkey /list” command execution. This command is used on Windows systems to list stored credentials and could be exploited by malicious actors to gather sensitive information. Detecting this command allows your SOC to respond promptly to suspicious activities and prevent security breaches.

  1. Test Preparation:
  • Set up a monitored Windows machine in a controlled environment.
  • Ensure “cmdkey” utility availability on the machine.
  1. Baseline Monitoring:
  • Take a snapshot of the system’s current state (processes and user sessions).
  1. Test Execution:
  • Open Command Prompt on the Windows machine.
  • Execute the command: `cmdkey /list`
  1. Expected SOC Detection:
  • SOC’s monitoring should detect the execution of `cmdkey /list`.
  • SOC team receives an alert with details (timestamp, source IP, username, command).
  1. Review and Analysis:
  • SOC team analyzes the alert to confirm legitimacy.
  • If legitimate, the test is successful.
  • If suspicious/unauthorized, initiate incident response.
  1. Post-Test Validation:
  • Verify threat mitigation.
  • Compare post-test system state with baseline.
  1. Reporting:
  • Document test results and response process in a detailed report.
  • Highlight vulnerabilities and areas for improvement.
  1. Remediation:
  • Address identified weaknesses in SOC monitoring.
  • Enhance logging, alerting rules, or security measures as needed.

Note: Conduct security testing in a controlled environment, with proper authorization to avoid negative impacts on production systems.

Receive all Test Your SOC guides directly to your inbox : Subscribe here.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration