Credential Manipulation - Detected - Elastic Endgame
Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2024/01/17"
7promotion = true
8
9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the
13link in the rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Credential Manipulation - Detected - Elastic Endgame"
22risk_score = 73
23rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
24severity = "high"
25tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
26type = "query"
27timestamp_override = "event.ingested"
28
29query = '''
30event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
31'''
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1134"
37name = "Access Token Manipulation"
38reference = "https://attack.mitre.org/techniques/T1134/"
39
40[rule.threat.tactic]
41id = "TA0004"
42name = "Privilege Escalation"
43reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Credential Manipulation - Prevented - Elastic Endgame
- Exploit - Detected - Elastic Endgame
- Exploit - Prevented - Elastic Endgame
- Permission Theft - Detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame