Credential Dumping - Prevented - Elastic Endgame

Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

• endgame-*

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-15m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 10000

References: None

Tags:

• Elastic
• Elastic Endgame
• Threat Detection
• Credential Access

Version: 9

Rule authors:

• Elastic

Rule license: Elastic License v2

event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Credential Access
  • ID: TA0006
  • Reference URL: https://attack.mitre.org/tactics/TA0006/

• Technique:

  • Name: OS Credential Dumping
  • ID: T1003
  • Reference URL: https://attack.mitre.org/techniques/T1003/

• Sub-technique:

  • Name: LSASS Memory
  • ID: T1003.001
  • Reference URL: https://attack.mitre.org/techniques/T1003/001/