Credential Dumping - Detected - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2024/01/17"
 7promotion = true
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link
13in the rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Credential Dumping - Detected - Elastic Endgame"
22risk_score = 73
23rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
24severity = "high"
25tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
26type = "query"
27timestamp_override = "event.ingested"
28
29query = '''
30event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)
31'''
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1003"
37name = "OS Credential Dumping"
38reference = "https://attack.mitre.org/techniques/T1003/"
39
40    [[rule.threat.technique.subtechnique]]
41    id = "T1003.001"
42    name = "LSASS Memory"
43    reference = "https://attack.mitre.org/techniques/T1003/001/"
44
45[rule.threat.tactic]
46id = "TA0006"
47name = "Credential Access"
48reference = "https://attack.mitre.org/tactics/TA0006/"