---
Name: DeviceCredentialDeployment.exe
Description: Device Credential Deployment
Author: 'Elliot Killick'
Created: '2021-08-16'
Commands:
  - Command: DeviceCredentialDeployment
    Description: Grab the console window handle and set it to hidden
    Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
    Category: Conceal
    Privileges: User
    MitreID: T1564
    OperatingSystem: Windows 10
Full_Path:
  - Path: C:\Windows\System32\DeviceCredentialDeployment.exe
Detection:
  - IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml
Acknowledgement:
  - Person: Elliot Killick
    Handle: '@elliotkillick'