Credential Dumping - Prevented - Elastic Endgame
Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3maturity = "production"
4promotion = true
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in
11the rule.reference column for additional information.
12"""
13from = "now-15m"
14index = ["endgame-*"]
15interval = "10m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 10000
19name = "Credential Dumping - Prevented - Elastic Endgame"
20risk_score = 47
21rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
22setup = """## Setup
23
24This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
25
26**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
27
28To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
29
30**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
31severity = "medium"
32tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating Credential Dumping - Prevented - Elastic Endgame
45
46Elastic Endgame is a security solution that proactively prevents credential dumping, a technique where attackers extract sensitive authentication data from systems. Adversaries exploit this to gain unauthorized access to networks. The detection rule identifies prevention alerts by monitoring specific event actions and metadata, signaling attempts to steal credentials, thus enabling timely threat mitigation.
47
48### Possible investigation steps
49
50- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's prevention of credential dumping.
51- Examine the event.action and endgame.event_subtype_full fields for the value cred_theft_event to understand the specific credential theft attempt that was prevented.
52- Investigate the source and destination systems involved in the alert to identify potential points of compromise or targeted systems.
53- Check for any related alerts or events in the same timeframe that might indicate a coordinated attack or further attempts at credential access.
54- Assess the user accounts involved in the alert to determine if they have been compromised or if there are any unauthorized access attempts.
55- Review the risk score and severity to prioritize the investigation and response actions based on the potential impact on the organization.
56
57### False positive analysis
58
59- Routine administrative tools or scripts that access credential stores may trigger alerts. Review and whitelist these tools if they are verified as non-threatening.
60- Security software performing legitimate credential checks can be mistaken for credential dumping. Identify and exclude these processes from alert generation.
61- Automated backup systems accessing credential data for legitimate purposes might be flagged. Ensure these systems are recognized and excluded from the rule.
62- Regular system maintenance activities that involve credential verification could cause false positives. Document and exclude these activities if they are part of standard operations.
63- User behavior analytics might misinterpret legitimate user actions as credential theft. Implement user behavior baselines to reduce such false positives.
64
65### Response and remediation
66
67- Isolate the affected system immediately to prevent further unauthorized access or lateral movement within the network.
68- Terminate any suspicious processes identified as part of the credential dumping attempt to halt ongoing malicious activities.
69- Change all potentially compromised credentials, especially those with elevated privileges, to prevent unauthorized access using stolen credentials.
70- Conduct a thorough review of access logs and event data to identify any additional systems that may have been targeted or compromised.
71- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.
72- Implement additional monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at credential theft.
73- Review and update endpoint protection configurations to ensure that similar threats are detected and prevented in the future, leveraging insights from the MITRE ATT&CK framework."""
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1003"
80name = "OS Credential Dumping"
81reference = "https://attack.mitre.org/techniques/T1003/"
82[[rule.threat.technique.subtechnique]]
83id = "T1003.001"
84name = "LSASS Memory"
85reference = "https://attack.mitre.org/techniques/T1003/001/"
86
87
88
89[rule.threat.tactic]
90id = "TA0006"
91name = "Credential Access"
92reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Credential Dumping - Prevented - Elastic Endgame
Elastic Endgame is a security solution that proactively prevents credential dumping, a technique where attackers extract sensitive authentication data from systems. Adversaries exploit this to gain unauthorized access to networks. The detection rule identifies prevention alerts by monitoring specific event actions and metadata, signaling attempts to steal credentials, thus enabling timely threat mitigation.
Possible investigation steps
- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's prevention of credential dumping.
- Examine the event.action and endgame.event_subtype_full fields for the value cred_theft_event to understand the specific credential theft attempt that was prevented.
- Investigate the source and destination systems involved in the alert to identify potential points of compromise or targeted systems.
- Check for any related alerts or events in the same timeframe that might indicate a coordinated attack or further attempts at credential access.
- Assess the user accounts involved in the alert to determine if they have been compromised or if there are any unauthorized access attempts.
- Review the risk score and severity to prioritize the investigation and response actions based on the potential impact on the organization.
False positive analysis
- Routine administrative tools or scripts that access credential stores may trigger alerts. Review and whitelist these tools if they are verified as non-threatening.
- Security software performing legitimate credential checks can be mistaken for credential dumping. Identify and exclude these processes from alert generation.
- Automated backup systems accessing credential data for legitimate purposes might be flagged. Ensure these systems are recognized and excluded from the rule.
- Regular system maintenance activities that involve credential verification could cause false positives. Document and exclude these activities if they are part of standard operations.
- User behavior analytics might misinterpret legitimate user actions as credential theft. Implement user behavior baselines to reduce such false positives.
Response and remediation
- Isolate the affected system immediately to prevent further unauthorized access or lateral movement within the network.
- Terminate any suspicious processes identified as part of the credential dumping attempt to halt ongoing malicious activities.
- Change all potentially compromised credentials, especially those with elevated privileges, to prevent unauthorized access using stolen credentials.
- Conduct a thorough review of access logs and event data to identify any additional systems that may have been targeted or compromised.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.
- Implement additional monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at credential theft.
- Review and update endpoint protection configurations to ensure that similar threats are detected and prevented in the future, leveraging insights from the MITRE ATT&CK framework.
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Dumping - Detected - Elastic Endgame
- Full User-Mode Dumps Enabled System-Wide
- Kirbi File Creation