Credential Manipulation - Detected - Elastic Endgame

Elastic Stack Serverless Security

Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

• endgame-*

Severity: high

Risk score: 73

Runs every: 10m

Searches indices from: now-15m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 10000

References: None

Tags:

• Elastic
• Elastic Endgame
• Threat Detection
• Privilege Escalation

Version: 9

Rule authors:

• Elastic

Rule license: Elastic License v2

event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Privilege Escalation
  • ID: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Access Token Manipulation
  • ID: T1134
  • Reference URL: https://attack.mitre.org/techniques/T1134/