get client handle via SChannel

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get client handle via SChannel
    namespace: data-manipulation/encryption
    authors:
      - matthew.williams@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    references:
      - https://docs.microsoft.com/en-us/windows/win32/secauthn/getting-schannel-credentials
      - https://docs.microsoft.com/en-us/windows/win32/api/credssp/ns-credssp-credssp_cred
      - https://docs.microsoft.com/en-us/windows/win32/api/credssp/ne-credssp-credspp_submit_type
  features:
    - and:
      - match: get outbound credentials handle via CredSSP
      - number: 4 = CredsspSchannelCreds
      - optional:
        - string: "Microsoft Unified Security Protocol Provider"

last edited: 2023-11-24 10:35:00