Skip to main content

A New Alert Pack is available on Devo Exchange!
 

Alert Pack: Credential Access

This out of the box alert pack bundles critical alerts that can help detect when an adversary has been sing the credential access MITRE Tactic (TA0006) and has tried to use keylogging or credential dumping methods to access your systems.
 

What is Credential Access?
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

 

Learn more in our Documentation Portal!

 

Download directly from Devo Exchange!

 

Here is a sample of 5 of the new alerts!
 

SecOpsPanAuthFailMultipleUserSingleIP - Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames.

SecOpsGCPSecretsManagerHighActivity - An attacker could be attempting to access, or modify, the Secret Manager service

SecOpsAWSSamlAccess - This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

SecOpsAwsGetSecretFromNonAmazonIp - Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.

SecOpsWinDcShadowDetected - Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates.

Be the first to reply!