Access to stored credentials

Test Guide


The aim of this test is to verify that your Security Operations Center (SOC) can effectively detect the “cmdkey /list” command execution. This command is used on Windows systems to list stored credentials and could be exploited by malicious actors to gather sensitive information. Detecting this command allows your SOC to respond promptly to suspicious activities and prevent security breaches.

  1. Test Preparation:
  • Set up a monitored Windows machine in a controlled environment.
  • Ensure “cmdkey” utility availability on the machine.
  1. Baseline Monitoring:
  • Take a snapshot of the system’s current state (processes and user sessions).
  1. Test Execution:
  • Open Command Prompt on the Windows machine.
  • Execute the command: `cmdkey /list`
  1. Expected SOC Detection:
  • SOC’s monitoring should detect the execution of `cmdkey /list`.
  • SOC team receives an alert with details (timestamp, source IP, username, command).
  1. Review and Analysis:
  • SOC team analyzes the alert to confirm legitimacy.
  • If legitimate, the test is successful.
  • If suspicious/unauthorized, initiate incident response.
  1. Post-Test Validation:
  • Verify threat mitigation.
  • Compare post-test system state with baseline.
  1. Reporting:
  • Document test results and response process in a detailed report.
  • Highlight vulnerabilities and areas for improvement.
  1. Remediation:
  • Address identified weaknesses in SOC monitoring.
  • Enhance logging, alerting rules, or security measures as needed.

Note: Conduct security testing in a controlled environment, with proper authorization to avoid negative impacts on production systems.

Receive all Test Your SOC guides directly to your inbox : Subscribe here.

More to explorer

New Deployed Rules

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4.

New Deployed Rules

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity

Sign up for our newsletter

Time to market

One-day SIEM integration