Account Password Reset Remotely
editAccount Password Reset Remotely
editIdentifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.security*
- logs-windows.forwarded*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
- https://www.elastic.co/security-labs/detect-credential-access
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Impact
- Data Source: System
Version: 116
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editPerformance
This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.
Rule query
editsequence by winlog.computer_name with maxspan=1m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password" and ( /* This rule is very noisy if not scoped to privileged accounts, duplicate the rule and add your own naming convention and accounts of interest here. */ winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500") ) ] by winlog.event_data.SubjectLogonId
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Account Access Removal
- ID: T1531
- Reference URL: https://attack.mitre.org/techniques/T1531/