LastPass vault content export attempt

lastpass

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1555-credentials-from-password-stores

Set up the lastpass integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect possible exfiltration attempts from LastPass through a vault export.

Strategy

This rule monitors LastPass event logs to determine when a vault has been exported. This could indicate exfiltration attempts from LastPass by downloading or exporting items within a vault.

Triage & response

  1. Investigate the {{@usr.name}} attempting to download or export the vault.
  2. If this action was unintended by the user:
    • Rotate the user’s LastPass master password.
    • Identify all the items within the vault that were exported and rotate the necessary authentication credentials.
PREVIEWING: sdk/versions