This playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers.
LSASS Credential Dumping
- Details
- Content
- Dependencies
- Version History
Credential Dumping is an attack technique where attackers extract user authentication credentials such as usernames and passwords. When users log on to a system, the credentials get stored in the memory process Local Security Authority Subsystem Service (LSASS). Both administrative users and SYSTEM can harvest these credentials. This attack is only possible because operating systems store credentials in memory to save users from having to enter credentials whenever they want to use a service.
Playbooks
| Name | Description |
|---|---|
| LSASS Credential Dumpin |
Playbooks
| Name | Description |
|---|---|
| LSASS Credential Dumpin | This playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers. |
Required Content Packs (5)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Carbon Black Cloud Enterprise EDR | By: Cortex XSOAR |
| Common Playbooks | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Tanium Threat Response | By: Cortex XSOAR |
Optional Content Packs (2)
| Pack Name | Pack By |
|---|---|
| ServiceNow | By: Cortex XSOAR |
| Splunk | By: Cortex XSOAR |
All level dependencies (9)
| Pack Name | Pack By |
|---|---|
| Common Playbooks | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
| Aggregated Scripts | By: Cortex XSOAR |
| Filters And Transformers | By: Cortex XSOAR |
| Tanium Threat Response | By: Cortex XSOAR |
| Carbon Black Cloud Enterprise EDR | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Rasterize | By: Cortex XSOAR |
1.0.0 - 2037725 (January 27, 2021)
Credential Dumping is an attack technique where attackers extract user authentication credentials such as usernames and passwords. When users log on to a system, the credentials get stored in the memory process Local Security Authority Subsystem Service (LSASS). Both administrative users and SYSTEM can harvest these credentials. This attack is only possible because operating systems store credentials in memory to save users from having to enter credentials whenever they want to use a service.
1.0.0 - 2037725 (January 27, 2021)
Credential Dumping is an attack technique where attackers extract user authentication credentials such as usernames and passwords. When users log on to a system, the credentials get stored in the memory process Local Security Authority Subsystem Service (LSASS). Both administrative users and SYSTEM can harvest these credentials. This attack is only possible because operating systems store credentials in memory to save users from having to enter credentials whenever they want to use a service.
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Supported By | Community | |
| Created | January 27, 2021 | |
| Last Release | March 22, 2026 |
Identity And Access Management
WORKS WITH THE FOLLOWING INTEGRATIONS:
