Credential Manipulation - Prevented - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4promotion = true
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
11in the rule.reference column for additional information.
12"""
13from = "now-15m"
14index = ["endgame-*"]
15interval = "10m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 10000
19name = "Credential Manipulation - Prevented - Elastic Endgame"
20risk_score = 47
21rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
22setup = """## Setup
23
24This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
25
26**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
27
28To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
29
30**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
31severity = "medium"
32tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating Credential Manipulation - Prevented - Elastic Endgame
45
46Elastic Endgame is a security solution that prevents unauthorized credential manipulation, a tactic often used by adversaries to escalate privileges by altering access tokens. Attackers exploit this to gain elevated access within a system. The detection rule identifies such attempts by monitoring alerts for token manipulation events, leveraging Elastic Endgame's prevention capabilities to thwart these threats effectively.
47
48### Possible investigation steps
49
50- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is related to Elastic Endgame's prevention capabilities.
51- Examine the event.action and endgame.event_subtype_full fields to identify the specific type of token manipulation event that was prevented.
52- Investigate the source and destination of the alert by analyzing associated IP addresses, user accounts, and hostnames to determine if the attempt was internal or external.
53- Check for any related alerts or logs around the same timeframe to identify potential patterns or coordinated attempts at credential manipulation.
54- Assess the impacted system's current security posture and review recent changes or anomalies in user behavior that might have led to the attempted manipulation.
55- Consult the MITRE ATT&CK framework for additional context on Access Token Manipulation (T1134) to understand potential adversary techniques and improve defensive measures.
56
57### False positive analysis
58
59- Routine administrative tasks involving legitimate token manipulation can trigger alerts. Review the context of the event to determine if it aligns with expected administrative activities.
60- Automated scripts or software updates that modify access tokens as part of their normal operation may cause false positives. Identify these processes and consider adding them to an exception list if they are verified as non-threatening.
61- Security tools or monitoring solutions that interact with access tokens for legitimate purposes might be flagged. Validate these tools and exclude them from the rule if they are confirmed to be safe.
62- User behavior that involves frequent token changes, such as developers testing applications, can lead to false positives. Monitor these activities and create exceptions for known users or groups performing these tasks regularly.
63- Ensure that the rule is not overly broad by refining the query to focus on specific actions or contexts that are more indicative of malicious behavior, reducing the likelihood of false positives.
64
65### Response and remediation
66
67- Immediately isolate the affected system to prevent further unauthorized access or lateral movement within the network.
68- Revoke and reset any potentially compromised credentials associated with the affected system to mitigate unauthorized access.
69- Conduct a thorough review of access logs and token usage to identify any unauthorized access or privilege escalation attempts.
70- Restore the affected system from a known good backup to ensure the integrity of the system and its credentials.
71- Implement additional monitoring on the affected system and related accounts to detect any further suspicious activity.
72- Escalate the incident to the security operations team for a detailed investigation and to assess the potential impact on other systems.
73- Review and update access control policies to ensure that only necessary permissions are granted, reducing the risk of privilege escalation."""
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1134"
80name = "Access Token Manipulation"
81reference = "https://attack.mitre.org/techniques/T1134/"
82
83
84[rule.threat.tactic]
85id = "TA0004"
86name = "Privilege Escalation"
87reference = "https://attack.mitre.org/tactics/TA0004/"