acquire credentials from Windows Credential Manager

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: acquire credentials from Windows Credential Manager
    namespace: collection
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004]
    examples:
      - c56af5561e3f20bed435fb4355cffc29:0x411A41
  features:
    - or:
      - string: ".vcrd"
      - string: "*.vcrd"
      - string: "Policy.vpol"
      - string: /AppData\\Local\\Microsoft\\(Vault|Credentials)/
      - api: CredEnumerate
      - and:
        - optional:
          - match: host-interaction/process/create
        - or:
          - string: /vaultcmd(\.exe)?/
          - substring: "/listcreds:"
          - substring: "\"Windows Credentials\""