Detect Credential Access with Elastic Security

Within our Elastic Security research group, a strong area of focus is implementing detection mechanisms for capabilities we understand adversaries are currently exploiting within environments. We’ll often wait to see the impact that bringing these capabilities to market will have from a detection standpoint. This allows our researchers to explore different detection strategies through these additions, providing deep insight into how effective the Elastic Security platform can be.

When we released Elastic Endpoint Security, our team added new file and registry events to provide defenders with better visibility on techniques and procedures involving some form of sensitive files and/or registry objects access:

• T1555.003 Credentials from Web Browsers
• T1003.002 Security Account Manager
• T1003.004 LSA Secrets
• T1003.005 Cached Domain Credentials
• T1552.001 Credential in Files
• T1555.004 Windows Credential Manager

Recently, one of our security researchers, Samir Bousseaden, started to detail a series of tactics for hunting with some of these new data types and fields within Elastic. He came up with some interesting findings as to how to leverage Elastic Security to its fullest potential.

In Samir's detailed technical post, he outlines a series of tactics for hunting, including leveraging Endpoint security integration to explore these new events using generic KQL or EQL queries. 

Alongside these static hunting queries and capabilities, Samir covers details of our built-in malicious behavior protection rules that can automatically react to suspicious sensitive file/registry access and that are scoped for higher signal scenarios.

Existing Elastic Security can access these capabilities within the product. If you’re new to Elastic Security, take a look at our Quick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training courses. Refer to the documentation online to see how you can upgrade your Elasticsearch and Logstash deployments. You can always get started with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.