Credential Dumping using a known tool
This Playbook is part of the Cortex Response And Remediation Pack.#
Supported versions
Supported Cortex XSOAR versions: 8.8.0 and later.
This playbook is designed to handle the following alerts:
- Command-line arguments match Mimikatz execution
- Mimikatz command-line arguments
- Credential dumping via wce.exe
- Credential dumping via gsecdump.exe
- PowerShell runs with known Mimikatz arguments
- Hash cracking using Hashcat tool
- Credential dumping via fgdump.exe
- Credential dumping via LaZagne
- Credential dumping via pwdumpx.exe
- Dumping lsass.exe memory for credential extraction
- Memory dumping with comsvcs.dll
The playbook executes the following stages:
Early Containment:
- Handles malicious alerts by terminating the causality process.
Remediation:
- Handles malicious alerts by suggesting the analyst to isolate the endpoint.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
This playbook does not use any sub-playbooks.
Integrations#
This playbook does not use any integrations.
Scripts#
- SearchIncidentsV2
- get-endpoint-data
- isolate-endpoint
Commands#
- closeInvestigation
- core-terminate-causality
Playbook Inputs#
There are no inputs for this playbook.
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
