Account Password Reset Remotely
editAccount Password Reset Remotely
editIdentifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
- https://www.elastic.co/security-labs/detect-credential-access
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 101 (version history)
Added (Elastic Stack release): 8.0.0
Last modified (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editLegitimate remote account administration.
Rule query
editsequence by host.id with maxspan=5m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password" and ( /* This rule is very noisy if not scoped to privileged accounts, duplicate the rule and add your own naming convention and accounts of interest here. */ winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500") ) ] by winlog.event_data.SubjectLogonId
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Rule version history
edit- Version 101 (8.6.0 release)
-
-
Updated query, changed from:
sequence by host.id with maxspan=5m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password" and ( /* This rule is very noisy if not scoped to privileged accounts, duplicate the rule and add your own naming convention and accounts of interest here. */ winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or winlog.event_data.TargetSid : "S-1-5-21-*-500" ) ] by winlog.event_data.SubjectLogonId
-
- Version 100 (8.5.0 release)
-
- Formatting only
- Version 5 (8.4.0 release)
-
-
Updated query, changed from:
sequence by host.id with maxspan=5m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
-
- Version 3 (8.2.0 release)
-
- Formatting only
- Version 2 (8.1.0 release)
-
-
Updated query, changed from:
sequence by host.id with maxspan=5m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
-