Skip to main content

LSASS Credential Dumpin

This Playbook is part of the LSASS Credential Dumping Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Dedup - Generic v3
  • Entity Enrichment - Generic v3


  • SplunkPy
  • Carbon Black Enterprise EDR
  • Tanium Threat Response
  • ServiceNow v2


  • IncreaseIncidentSeverity


  • extractIndicators
  • servicenow-update-ticket
  • cb-eedr-device-quarantine
  • isWhitelisted
  • tanium-tr-get-file-info
  • tanium-tr-delete-file-from-endpoint
  • servicenow-create-ticket
  • splunk-search

##Playbook Inputs There are no inputs for this playbook.

Playbook Outputs#

There are no outputs for this playbook.