..
/DeviceCredentialDeployment.exe
Star
Conceal
Device Credential Deployment
Paths:
C:\Windows\System32\DeviceCredentialDeployment.exe
Acknowledgements:
Elliot Killick (
@elliotkillick
)
Detection:
IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
Sigma:
https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml
Conceal
Grab the console window handle and set it to hidden
DeviceCredentialDeployment
Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
Privileges required: User
OS: Windows 10
MITRE ATT&CK®:
T1564