Query Details
Device Detect Credential Backup
Query
//Detect when a backup is taken from Windows Credential manager
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceEvents
| where ActionType == "CredentialsBackup"
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessFolderPath
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where ActionType == "CredentialsBackup"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessFolderPathExplanation
This query detects when a backup is taken from the Windows Credential Manager. It retrieves information such as the time, device name, initiating process account name, command line, file name, and folder path. It can be used with the M365 Defender - Device* tables data connector in Microsoft Sentinel or with the Advanced Hunting license data connector.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,TimeGenerated,DeviceName,InitiatingProcessAccountName,InitiatingProcessCommandLine,InitiatingProcessFileName,InitiatingProcessFolderPath,Timestamp
Operators
| where| project| ==| "CredentialsBackup"| TimeGenerated| DeviceName| InitiatingProcessAccountName| InitiatingProcessCommandLine| InitiatingProcessFileName| InitiatingProcessFolderPath