Alert Pack: Credential Access (MITRE Att&ck Tactic TA0006)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

The Credential Access (MITRE ATT&CK Tactic TA0006) content pack is a bundle of Devo’s out-of-the-box alerts that can help detect when an adversary has been using the credential access tactic and has tried to use keylogging or credential dumping methods to access your systems.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsAuthPasswordSprayIp	SecOpsO365ExcessiveAuthFailureAttempts	SecOpsAwsGetSecretFromNonAmazonIp
SecOpsWinLockoutsEndpoint-AuthAll	SecOpsO365ExcessiveSSOLoginFailures	SecOpsWinUserCredentialDumpRegistry
SecOpsPanAuthExcessiveFailedLoginUser	SecOpsAWSSamlAccess	SecOpsWinRegUtilityHiveExport
SecOpsPanAuthExcessiveFailedLoginIP	SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP	SecOpsWinDcShadowDetected
SecOpsPanAuthFailMultipleUserSingleIP	SecOpsAWSMultipleFailedConsoleLogins	SecOpsWinLockoutsEndpoint
SecOpsAzureDevOpsSecretNotSecured	SecOpsAWSIAMAssumeRolePolicyBruteForce	SecOpsWinLsassMemDump
SecOpsGSuiteExcessiveOAuthPermissionsRequest	SecOpsAWSSecretsManagerSensitiveAdminActionObserved	SecOpsWinWifiCredHarvestNetsh
SecOpsGCPSecretsManagerHighActivity	SecOpsAWSNewUserPoolClientCreated	SecOpsWinADDomainEnumeration

What is Credential Access?

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.gsuite.reports.token ^{learn more}
cloud.office365.management.azureactivedirectory^{learn more}
cloud.gcp ^{learn more}
cloud.aws.cloudtrail^{learn more}
box.all.win ^{learn more}
cloud.azure.vm.unknown_events
firewall.paloalto.system ^{learn more}
auth.all ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.